Troubling phone calls
Chris Lewis
clewis at ferret.ocunix.on.ca
Sat Feb 9 15:00:40 AEST 1991
In article <b0efha.ba2 at wang.com> fitz at wang.com (Tom Fitzgerald) writes:
>> Checking our dialup lines for security problems, I've noticed that *someone*
>> keeps calling us as uucp, something like 40 times a day. We haven't been a
>> uucp site for 3 years, at least, probably longer, and the old password is
>> locked on our machine.
>When you were a UUCP site, did you have different logins for each neighbor,
>or the same login for all neighbors? If the latter, you're screwed. If
>the former, you can watch for a "login <name>" process to be exec'd by
>getty when the machine tries to get in. The login process will last until
>uucico (or login) times out.
Easier than that. Even if they call you as "uucp". Reenable your
uucp logins. If you're a USERFILE uucp, replace the contents of USERFILE
with:
, /tmp/thisisanimpossibleplace
, /tmp/thisisanimpossibleplace
(some uucico's had a bug in that the last entry had to be duplicated
to work). If an HDB site, replace the Permissions file with something
like (check your docs to make sure):
LOGNAME=OTHER MACHINE=OTHER READ=/tmp/thisisanimpossibleplace \
WRITE=/tmp/thisisanimpossibleplace SEND=no RECEIVE=no
And then move /usr/lib/uucp/uuxqt to somewhere else.
Then wait. Your logs will fill with connections from the rogue dialer,
with the UUCP node name in the log file. The rogue dialer won't be able to
do anything because you've explicitly prevented them from getting anywhere
that would be a problem (they won't know its name anyhow), and they couldn't
possibly execute anything either. So, anything they attempt to do will be
met with permission denied or missing uuxqt.
Using the node name you get, you may be able to figure out where
it's coming from. Chances are it's one of your neighbors that didn't
bother removing you from their sys file, and something ended up
enqueued to you.
--
Chris Lewis, Phone: (613) 832-0541, Internet: clewis at ferret.ocunix.on.ca
UUCP: uunet!mitel!cunews!latour!ecicrl!clewis
Moderator of the Ferret Mailing List (ferret-request at eci386)
Psroff enquiries: psroff-request at eci386, current patchlevel is *7*.
More information about the Comp.unix.admin
mailing list