- ----------------------------------------------------------------
FORWARDED MESSAGE
Subject: [Fwd: [STATE-COORD-L] Allen, You Have A Problem in Ohio]
- ----------------------------------------------------------------
This note is mainly intended for Allen Richmond, but I'm posting it
to STATE-COORD-L because it affects USGenWeb in general.
By deliberate decision, security on
WWW.ROOTSWEB.COM has always been
fairly lax. The reason is that security and functionality are
inversely related; for example, when crackers infested our servers
before, we had to take TELNET access away from all the users to
prevent further damage.
RootsWeb does take security very seriously, though, and we do
maintain continuous surveillance over our servers. We've been
watching one particular guy for some time. Besides poking through
other users' directories on the server, he's been stealing passwords
to other folks' accounts by looking at the /tmp files where we
assemble the welcome letters to new CCs. Although we'll change the
passwords and lock him out, the bad guy has access a number of
accounts.
###
Allen, the bad guy is one of your people -- the person you have
trusted to maintain the ~ohdefunc and ~ohighla who is stealing
passwords from other USGenWebbers. The bad guy uses Netcom and is
located in or near Hamden, Ohio.
Allen, could you identify the person who is maintaining those
accounts so the other SCs and CCs can know who is stealing USGenWeb
passwords? I think the SCs and CCs have a legitimate right to
expect at least an apology from this person.
[ RootsWeb is working with Netcom separately to completely
unambiguously identify the bad guy. But we'd prefer Allen dealt
with this as a USGenWeb matter rather than RootsWeb dealing with
it as a legal problem ... ]
###
SCs, I have bad news and good news. The bad news is that this is
going to cause RootsWeb to substantially tighten up our security.
That will probably cause some modest problems for a few CCs. The
good news is that we're going to be adding more tools for the CCs
over the next few months, and in the end CCs should be both more
secure and also have facilities that are much more powerful than any
other server on The Net.
###
BTW, for the technically inclined, I've included an excerpt from our
logs that illustrates the problem. We log just about everything
that happens on
WWW.ROOTSWEB.COM, though, so this is a tiny fraction
of what we've seen as we watched this guy.
Thanks Allen and all, B.
>> The first part is the bad guy doing some routine and
acceptable
>> maintenance on the ohdefunc and ohighla accounts. The "_ i"
>> means those files are being uploaded: this is the smoking gun
>> that tells you the bad guy is whoever is maintaining the
>> ohdefunc and ohighla accounts.
Sat Jul 24 11:27:32 1999 1
ham-oh5-98.ix.netcom.com
556 /u1/home0001/usa/oh/ohdefunc/.xfm/Apps a _ o r ohdefunc ftp 0 *
Sat Jul 24 11:27:55 1999 1
ham-oh5-98.ix.netcom.com
286 /u1/home0001/usa/oh/ohdefunc/.xfm/Hosts a _ o r ohdefunc ftp 0 *
Sat Jul 24 11:28:49 1999 2
ham-oh5-98.ix.netcom.com
3556 /u1/home0001/usa/oh/ohdefunc/public_html/whereis.html a _ i r ohdefunc
ftp 0 *
Sat Jul 24 11:29:00 1999 2
ham-oh5-98.ix.netcom.com
10457 /u1/home0001/usa/oh/ohdefunc/public_html/historical/c.html a _ i r
ohdefunc ftp 0 *
Sat Jul 24 11:30:44 1999 2
ham-oh5-98.ix.netcom.com
6961 /u1/home0001/usa/oh/ohighla/public_html/index.htm a _ i r ohhighla ftp
0 *
>> The two /tmp files the bad guy is harvesting below contain
>> passwords for USGenWeb accounts. We've closed this security
>> hole, now that we have enough information to identify the bad
>> guy.
Sat Jul 24 11:31:25 1999 1
ham-oh5-98.ix.netcom.com 2464
/tmp/new.account a
_ o r wvwyomin ftp 0 *
Sat Jul 24 11:31:55 1999 1
ham-oh5-98.ix.netcom.com 1449 /tmp/renew.account
a _ o r wvwyomin ftp 0 *
>> This is the bad guy rummaging through my personal files.
Sat Jul 24 11:33:33 1999 1
ham-oh5-98.ix.netcom.com
19 /u1/home0013/leverich/myaliasfile a _ o r wvwyomin ftp 0 *
Sat Jul 24 11:33:47 1999 1
ham-oh5-98.ix.netcom.com
20016 /u1/home0013/leverich/ks.c.save a _ o r wvwyomin ftp 0 *
Sat Jul 24 11:34:05 1999 1
ham-oh5-98.ix.netcom.com
8215 /u1/home0013/leverich/index.htm a _ o r wvwyomin ftp 0 *
>> Here he goes looking through the staff and drafts
directories.
Sat Jul 24 11:36:20 1999 1
ham-oh5-98.ix.netcom.com
867 /u1/home0001/ftpstaff/public_html/finalreport/tsld019.htm a _ o r
wvwyomin ftp 0 *
Sat Jul 24 11:36:57 1999 1
ham-oh5-98.ix.netcom.com
2905 /u1/home0001/ftpstaff/public_html/finalreport/index.htm a _ o r
wvwyomin ftp 0 *
Sat Jul 24 11:48:33 1999 1
ham-oh5-98.ix.netcom.com
1390 /u1/home0001/drafts/public_html/mockups/index.html a _ o r wvwyomin
ftp 0 *
Sat Jul 24 11:49:21 1999 1
ham-oh5-98.ix.netcom.com
2296 /u1/home0001/drafts/public_html/mockups/contents.html a _ o r wvwyomin
ftp 0 *
Sat Jul 24 11:51:32 1999 1
ham-oh5-98.ix.netcom.com
28672 /u1/home0001/tree.txt a _ o r wvwyomin ftp 0 *
Sat Jul 24 11:54:33 1999 1
ham-oh5-98.ix.netcom.com
23333 /u1/home0013/usr/local/apache/htdocs/rootsweb-1f5/listowners/guidelin
es.h t ml a _ o r wvwyomin ftp 0 *
Sat Jul 24 11:56:41 1999 1
ham-oh5-98.ix.netcom.com
3931 /u1/home0001/users1/uslookup/public_html/oh.html a _ o r wvwyomin ftp
0 *
Sat Jul 24 11:57:55 1999 1
ham-oh5-98.ix.netcom.com
5204 /u1/home0001/users1/treehous/public_html/index.htm a _ o r wvwyomin
ftp 0 *
>> And here he's downloading files from the Ohio collection
of
>> the USGenWeb Archives.
Sat Jul 24 12:01:26 1999 1
ham-oh5-98.ix.netcom.com
2696 /u1/home0001/ftp/pub/usgenweb/oh/ross/bios/holderman.txt a _ o r
wvwyomin ftp 0 *
Sat Jul 24 12:02:14 1999 1
ham-oh5-98.ix.netcom.com
2389 /u1/home0001/ftp/pub/usgenweb/oh/ross/obits/black01.txt a _ o r
wvwyomin ftp 0 *
Sat Jul 24 12:03:05 1999 1
ham-oh5-98.ix.netcom.com
4497 /u1/home0001/ftp/pub/usgenweb/oh/pike/obits/wwiidx.txt a _ o r
wvwyomin ftp 0 *
Sat Jul 24 12:04:18 1999 1
ham-oh5-98.ix.netcom.com
4149 /u1/home0001/ftp/pub/usgenweb/oh/pike/births/pikebir.txt a _ o r
wvwyomin ftp 0 *
Sat Jul 24 12:04:36 1999 1
ham-oh5-98.ix.netcom.com
5763 /u1/home0001/ftp/pub/usgenweb/oh/pike/marriages/pikemar.txt a _ o r
wvwyomin ftp 0 *
Sat Jul 24 12:05:00 1999 1
ham-oh5-98.ix.netcom.com
6226 /u1/home0001/ftp/pub/usgenweb/oh/scioto/cemeteries/sciotocem02.txt a _
o r wvwyomin ftp 0 *
Sat Jul 24 12:05:14 1999 1
ham-oh5-98.ix.netcom.com
1827 /u1/home0001/ftp/pub/usgenweb/oh/scioto/cemeteries/slocumcem.txt a _ o
r wvwyomin ftp 0 *
Sat Jul 24 12:05:42 1999 1
ham-oh5-98.ix.netcom.com
5209 /u1/home0001/ftp/pub/usgenweb/oh/scioto/cemeteries/jenkinscem.txt a _
o r wvwyomin ftp 0 *
Sat Jul 24 12:06:17 1999 1
ham-oh5-98.ix.netcom.com
1193 /u1/home0001/ftp/pub/usgenweb/oh/scioto/cemeteries/munn-3.txt a _ o r
wvwyomin ftp 0 *
Sat Jul 24 12:06:29 1999 1
ham-oh5-98.ix.netcom.com
1063 /u1/home0001/ftp/pub/usgenweb/oh/scioto/cemeteries/allen.txt a _ o r
wvwyomin ftp 0 *
--
Dr. Brian Leverich Co-moderator, soc.genealogy.methods/GENMTD-L
RootsWeb Genealogical Data Cooperative
http://www.rootsweb.com/
P.O. Box 6798, Frazier Park, CA 93222-6798 leverich(a)rootsweb.com