Re: Another request for passwords

[chowes () helix net (Charles Howes)]

On Sun, 23 Oct 1994, Rich Holland wrote:

> you wrote:
>  
> > Yes, someone broke into an account here at Helix, and seems to have a
> > grudge against one or more people.  Vanepp in particular.
>
> Sounds like they've broken into more than one account there....
>  
> > Argh.  This is the third mailbomb.  I'm supposed to be in charge of
> > security; how do you protect against this??!?
>
> I'd go through your lastlog, and call everyone who's logged in during
> the past 2 weeks.  Ask them the last time they logged in.  If what they
> say doesn't match, change their password, and force them to change it next
> time they login...
>
> Otherwise, look through your logs, find out where the mailbombs are 
> coming from, and shut down those accounts.  Turn on sendmail debugging to
> keep better logs.  Run crack41-ufc over your password file; it appears
> someone else has already.

What we've done:
  - Did crack41-ufc.  Too late.
  - Sendmail debugging is on.
  - Mailbombs are coming from cracked accounts.
  - Set up shadow passwords.
  - Set everyone's shell to /bin/crackedsh, which will print a message
    telling them to call us and confirm their existence.

This should kill all crackers, once and for all.

Now we need to start using Skey, if we want real security.
--
Charles Howes -- chowes () helix net
 Always tell the truth, then you make it the other bloke's problem! 
 - Sean Connery, 1971