Xref: utzoo comp.unix.admin:988 comp.dcom.modems:8244 comp.misc:11403 Path: utzoo!utgpu!cunews!micor!latour!ecicrl!clewis From: clewis@ferret.ocunix.on.ca (Chris Lewis) Newsgroups: comp.unix.admin,comp.dcom.modems,comp.misc Subject: Re: Troubling phone calls Keywords: uucp, modem, security Message-ID: <1312@ecicrl.ocunix.on.ca> Date: 9 Feb 91 04:00:40 GMT References: <1018@eplunix.UUCP> Followup-To: comp.unix.admin Organization: Elegant Communications Inc., Ottawa, Canada Lines: 44 In article fitz@wang.com (Tom Fitzgerald) writes: >> Checking our dialup lines for security problems, I've noticed that *someone* >> keeps calling us as uucp, something like 40 times a day. We haven't been a >> uucp site for 3 years, at least, probably longer, and the old password is >> locked on our machine. >When you were a UUCP site, did you have different logins for each neighbor, >or the same login for all neighbors? If the latter, you're screwed. If >the former, you can watch for a "login " process to be exec'd by >getty when the machine tries to get in. The login process will last until >uucico (or login) times out. Easier than that. Even if they call you as "uucp". Reenable your uucp logins. If you're a USERFILE uucp, replace the contents of USERFILE with: , /tmp/thisisanimpossibleplace , /tmp/thisisanimpossibleplace (some uucico's had a bug in that the last entry had to be duplicated to work). If an HDB site, replace the Permissions file with something like (check your docs to make sure): LOGNAME=OTHER MACHINE=OTHER READ=/tmp/thisisanimpossibleplace \ WRITE=/tmp/thisisanimpossibleplace SEND=no RECEIVE=no And then move /usr/lib/uucp/uuxqt to somewhere else. Then wait. Your logs will fill with connections from the rogue dialer, with the UUCP node name in the log file. The rogue dialer won't be able to do anything because you've explicitly prevented them from getting anywhere that would be a problem (they won't know its name anyhow), and they couldn't possibly execute anything either. So, anything they attempt to do will be met with permission denied or missing uuxqt. Using the node name you get, you may be able to figure out where it's coming from. Chances are it's one of your neighbors that didn't bother removing you from their sys file, and something ended up enqueued to you. -- Chris Lewis, Phone: (613) 832-0541, Internet: clewis@ferret.ocunix.on.ca UUCP: uunet!mitel!cunews!latour!ecicrl!clewis Moderator of the Ferret Mailing List (ferret-request@eci386) Psroff enquiries: psroff-request@eci386, current patchlevel is *7*.