Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!philabs!prls!pyramid!hplabs!amdahl!gam From: gam@amdahl.UUCP (G A Moffett) Newsgroups: net.news Subject: Are we all victims of prankster-hackers? Message-ID: <3344@amdahl.UUCP> Date: Wed, 11-Jun-86 03:17:03 EDT Article-I.D.: amdahl.3344 Posted: Wed Jun 11 03:17:03 1986 Date-Received: Thu, 12-Jun-86 01:18:01 EDT Reply-To: gam@amdahl.UUCP (G A Moffett) Followup-To: net.news Organization: Amdahl Corp, UTS Products Group Lines: 51 Summary: rnews is a threat to your uucp system We received what must have been dozens of articles, alledgedly from david@ukma.UUCP, which produced the following in our log file: Jun 10 19:24 hplabs.hplabs.UUCP received ng net.general.ctl subj 'forged cancel cmsg -- flames to david@ukma.UUCP' Jun 10 19:24 hplabs.hplabs.UUCP from dobro@ulowell.UUCP (Chet Dobro) relay version B 2.10.3 4.3bsd-beta 6/6/85; site hplabs.hplabs.UUCP Jun 10 19:24 hplabs.hplabs.UUCP Ctl Msg net.general.ctl from hplabs!sdcrdcf!burdvax!psuvax1!psuvm.bitnet!ukma!david: cancel <41@mirror.mirror.UUCP> Jun 10 19:24 hplabs.hplabs.UUCP linecount expected 1, got 2 Jun 10 19:24 hplabs.hplabs.UUCP waiting on lock for /tmp/L Jun 10 19:25 hplabs.hplabs.UUCP waiting on lock for /tmp/L Jun 10 19:26 hplabs.hplabs.UUCP waiting on lock for /tmp/L ... and so on. It's main side effect appeared to be forcing pointless (but finite) looping in rnews. Fortunately the looping was spent mostly in sleep(3)ing, but the many articles -- a few dozen at least -- forced rnews to sleep so long that uuxqt forgot about it (the LCK.XQT file wasn't updated). I am not plannig to flame david@ukma for this. At least until further evidence is provided, I doubt that this was his work. He is an UUCP Admin at the University of Kentucky, according to the Usenet/UUCP maps, and I can imagine what sort of cute pranks like this bored college hackers would love to try, blaming a convienient target. The prior article found in the 'control' newsgroup was also from david@ukma.UUCP so perhaps that was the source of an article which the pranksers forged. I don't know what the trick was to posting this article, but it is a terrible warning about what sort of power the network has via rnews. It took a moderately panicked seach to determine what the true cause was, but I didn't find this article in the spool directory. It wasn't until I killed *all* uuxqts (there were three at that point) and deleted all incoming news that this ridiculous stream of prankish articles and the problem went away (or so it seems ...). What did other sites do? Or are you aware that this ``bug'' exists? (do you have more than one uuxqt running now?). I do not yet have a patch to rnews to prevent this problem (I don't know exactly what to prevent). But look, ye, and weep: all your systems are vulnerable to potentially damaging (to netnews, at least) pranks. And to think we haven't even gotten rid of the line eater .... -- _G_o_r_d_o_n _A. _M_o_f_f_e_t_t ...!{ihnp4,seismo,hplabs}!amdahl!gam Inferior people should not be employed. -- [ This does not represent Amdahl Corporation ]