Path: utzoo!utgpu!attcan!uunet!ispi!jbayer From: jbayer@ispi.UUCP (Jonathan Bayer) Newsgroups: news.admin Subject: Re: Is uunet a security hole? Summary: What, no password? Message-ID: <381@ispi.UUCP> Date: 29 Dec 88 15:51:54 GMT References: <10420@rpp386.Dallas.TX.US> Organization: Intelligent Software Products, Inc. Lines: 60 In article <10420@rpp386.Dallas.TX.US>, jfh@rpp386.dallas.tx.us (The Beach Bum) writes: = = = I was thinking about various security problems I have with this system = and a possible problem on other systems occurred to me. = = This site has a public access UUCP connection. The login and phone = number are both well known. I have long been aware that having this = information be public is inviting crackers to come visiting, and in = the last three months or so, I have been the subject of a few failed = attempts. So, I have been on my guard since this site was first put = on the net a year ago, and each new attempt gives me more points to = ponder. = = Today I thought about another possible problem - the well connected = site. Say that there exists a very well connected site. One which = talked with a large fraction of the net. For example, uunet. The = system name is known, and because the system is well managed, the = connection might even be trusted. So, the scenario is that a cracker = tries to gain access to a site using `uunet' as its system name and = sees what is available. = = Well, this is exactly what happened here today. Below are the log = entries from an aborted attempt: = = uucp uunet (12/27-15:42) OK (startup) = uucp uunet (12/27-15:42) REQUESTED (S D.rpp386c3ec27 X.rpp386C6c3e yls - yls) = yls uunet (12/27-15:42) REQUESTED (R /usr/mail/uucp /usr/spool/uucppublic yls -dc dummy 777 yls) = yls uunet (12/27-15:42) USERFILE: access denied (/usr/mail/uucp) = yls uunet (12/27-15:42) REQUESTED (R /etc/passwd /usr/spool/uucppublic/passrpp yls -dc dummy 777 yls) = yls uunet (12/27-15:42) USERFILE: access denied (/etc/passwd) = yls uunet (12/27-15:42) OK (conversation complete) = uucp br549 (12/27-15:42) yls XQT DENIED (uucp -C /usr/spool/uucppublic/* br549!/usr/spool/uucppublic ) = The first question is: Is there a password for uunet on your system? if so, then: How did this person get the password? If he got it from uunet, then the obvious result is: UUNET HAS HAD A MAJOR SECURITY BREAK. SOMEBODY HAS A COPY OF UUNET's Systems FILE, AND HAS ACCESS TO EVERY SYSTEM THAT UUNET CALLS UP. Obviously, if you don't have a password for uunet then you are taking a major risk, since anybody who wishes to can dial up and log in as uunet. -- Jonathan Bayer ------------------------------------ Intelligent Software Products, Inc. "The time has come," the Walrus said... 19 Virginia Ave. ------------------------------------ Rockville Centre, NY 11570 (516) 766-2867