Conference noted::hackers_v1

It's in P1 at ctl$t_nodename and ctl$t_remoteid. You can write a 
program invoked in login or sylogin if mode is network or if mode is
interactive and fterminal is RTxx to grab it and take decision.


jer

Look in the ACCOUNTNG.DAT file

/Bevin

This command file reports the origin of connections to RTAn:.  Use it with 
caution.  It is not written as cleanly as I'd like, but it works.  You need 
CMKRNL to run this because it analyzes the running system.

Invoke with (e.g.)

    $ @GETREM 1,2,5

Dave C.


$ vfy = f$verify('debug'+0)
$ if f$cvui(1,1,'debug'+0) then -
     write sys$error "File GETREM.COM, 8-Aug-1984"
$!
$!  Gets node and userid from which a SET HOST was done.
$!
$!  P1 is a list of terminal numbers, each assumed to be on "unit" RTA
$!  If blank, RTA1: thru RTA20: are assumed.
$!
$ set noon
$ mypid = f$getjpi("","pid")
$ filespec = f$parse("SYS$SCRATCH:G"+mypid+".TMP")
$ filespec2 = f$parse("SYS$SCRATCH:H"+mypid+".TMP")
$ req_priv = "cmkrnl"
$ old_priv = f$setprv(req_priv)
$ if .not. f$priv(req_priv) then goto exit
$ terminal_list = p1
$ if terminal_list .eqs. "" then -
     terminal_list = "1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20"
$!
$get_next_terminal:
$ next_terminal = f$extract(0,f$locate(",",terminal_list),terminal_list)
$ terminal_list = terminal_list - next_terminal - ","
$ next_terminal = next_terminal - "_" - "_" - ":" - -
            "RTA" - "RTa" - "Rta" - "rTa" - "RtA" - "rtA" - "rTA" - "rta"
$ terminal = f$fao("RTA!ZB:",f$integer(next_terminal))
$ if f$getdvi(terminal,"exists") then goto exists
$nsd: write sys$error "No such device, ",terminal,"."
$ goto end_terminal_loop
$!
$exists:
$ pid = f$getdvi(terminal,"pid")
$ if .not. $status then goto nsd
$ if pid .eqs. "" then goto nsd
$ index = f$extract(4,4,pid)
$ open/write x.tmp 'filespec'
$ write x.tmp "$ define/user sys$output ",filespec2
$ write x.tmp "$ anal/syst
$ write x.tmp "set proc/index=",index
$ write x.tmp "exam ctl$t_nodename+1;^D6"
$ write x.tmp "exam ctl$t_remoteid+1;^D12"
$ write x.tmp "$ exit
$ close x.tmp
$ @'filespec'
$ pid_check = f$getdvi(terminal,"pid")
$ if pid_check .nes. pid then goto exit
$ username := 'f$getjpi(pid,"username")'
$!
$ open/read y.tmp 'filespec2'
$ read y.tmp x
$ read y.tmp x
$ read y.tmp x
$ nodename = f$extract(37,6,x)-"."-"."-"."-"."-"."-"."
$ read y.tmp x
$ remoteid = f$extract(37,12,x)
$ close y.tmp
$ write sys$output -
   terminal,"  (",username,") is remote from ",nodename,"::",remoteid
$!
$end_terminal_loop:
$ if terminal_list .nes. "" then goto get_next_terminal
$!
$exit: 
$ x = f$setprv(old_priv)
$ if f$search(filespec) .nes. "" then dele/nolog 'filespec'*
$ if f$search(filespec2) .nes. "" then dele/nolog 'filespec2'*
$ exit 1+0*f$verify(vfy)

	You might also try:

	NCP SHOW KNOWN LINKS

	to see all network activity.  Take the nodes listed for the
	links and do:

	NCP TELL node SHOW KNOWN LINKS

	to see the story from the other end.  Unfortunately links
	from processes like NOTES-11 do not show a proper remote
	user name... you have to ask the remote node for its links
	and hope the process name of the process that is doing the
	access is informative.

WHAT is quite useful here as well. You can do a SHOW LINKS and it will
display the remote node and the process being used. If the process is
REMACP then it is a remote terminal link.

We were able to intercept someone who was trying to break into one of
our machines in this way. Someone on an internal training course was
hacking around the Net, and within a few minutes we were able to call
his system manager with the details.

Hugh

Here is a DCL command file that will display a list of users who are
using RTAxx: terminals (remote logins) and another list of the node and
user name of the source of all SET HOST links.  Unfortunately there was 
not enough data in the NCP SHOW KNOWN LINKS, SHOW USERS and SHOW SYSTEM 
displays to determine what SET HOST link is connected to what local
user name.  The best you can do is look for remote user names that don't 
seem to match any of the users currently logged in remotely (somebody 
possibly using an account that is not theirs).  Good luck

	-John A. Wasser
	
$ ncp := $sys$system:ncp.exe
$ define/user_mode sys$output sys$scratch:users.tmp
$ show users
$ define/user_mode sys$output sys$scratch:links.tmp
$ ncp show known links
$ open/read users sys$scratch:users.tmp
$ read/end=done1 users user
$ read/end=done1 users user
$ read/end=done1 users user
$loop1:
$   read/end=done1 users user
$   if (f$extract(4,3,user) .nes. "RTA") then goto loop1
$   terminal = f$extract(4,8,user)
$   terminal = f$extract(0,f$locate(":",terminal),terminal)
$   username = f$extract(14,15,user)
$   record = "Terminal: "+terminal+"  User: "+username
$   write sys$output record
$   goto loop1
$done1:
$ close users
$ delete sys$scratch:users.tmp;0
$!
$ open/read links sys$scratch:links.tmp
$ read/end=done2 links link
$ read/end=done2 links link
$ read/end=done2 links link
$ read/end=done2 links link
$ read/end=done2 links link
$ read/end=done2 links link
$loop2:
$   read/end=done2 links link
$   if (f$extract(37,6,link) .nes. "REMACP") then goto loop2
$   node = f$extract(10,15,link)
$   node = f$extract(f$locate("(",node)+1,15,node)
$   node = f$extract(0,f$locate(")",node),node)
$   username = f$extract(62,15,link)
$   record = "Remote user: "+node+"::"+username
$   write sys$output record
$   goto loop2
$done2:
$   close links
$   delete sys$scratch:links.tmp;0
$ exit

	To clarify the info of using the ACCOUNTING.DAT after the attempt
has occurred do a ACCOUNTING/FULL/NODE=XXXX/TYPE=YYYYY.

	I have a nightly batch that mails me every AM all LOGFAIL 
attempts, and MODEM activity. By looking at the logfails from a remote
node, I can do an accounting / full and almost always get the username
of the perpetrator at the remote machine.

	-John

1	!								&
	!	Hello,this is another way to find out the Node and	&
	!	Either the USERNAME or the PID of the remote Process.	&
	!	You can use the following DCL commands to create a 	&
	!	log File for every successful login:			&
	!	(add this in the System Login file)			&
	!								&
	!	$ Define/User Sys$Output LOGFILE.TMP			&
	!	$ Run <whatever you call the program>			&
	!	$ Append/nolog LOGFILE.TMP LOGFILE.DAT			&
	!	$ Delete/Noconfirm/Nolog Logfile.tmp;*			&
	!								&
	!		Cheers,Marc.					&


50	Node$	=	Space$(8%)					&
\	User$	=	Space$(12%)					&
\	RC%	=	0%						&

100	Call Get_all(Node$,User$,RC%)

120	Print "Not connected via the Network." if RC% = 2096	&
\	Print "Network Link coming from ";Node$;User$	if RC% = 1	&
\	Print "Something strange happened,RC% is ";RC% if ((RC% <> 1)	&
						and (RC% <> 2096))	&

130	End								&
!-----------------------------------------------------------------------&
!									&
!		.TITLE GET_ALL	Subroutine for BASIC "GETNODE"		&
!									&
!Arg_1 	=	1*4		;Byte offset Argument 1 (Node$)		&
!Arg_2	=	2*4		;Byte offset Argument 2 (User$)		&
!Arg_3	=	3*4		;Byte offset Argument 3 (RC%)		&
!									&
!		.Entry	Get_ALL ^M<R2,R3,R4,R5,R6,R7,R8,R9,R10,R11>	&
!									&
!									&
!	Tstb	@#Ctl$T_Nodename		; Remote node ?		&
!	Beql	10$				; No...			&
!	Movl	Arg_1(AP),R3			;NODE$ descriptor addr.	&
!	Movc3	#6.,CTL$T_NODENAME+1,@4(R3)	;			&
!	Movl	Arg_2(AP),R3			;User$ descriptor addr.	&
!	Movc3	#12.,CTL$T_REMOTEID+1,@4(R3)	;			&
!	Movl	#SS$_NORMAL,@Arg_3(AP)		;Set Success		&
!	Brb	20$							&
!10$:	Movl	#SS$_CANCEL,@Arg_3(AP)		;Set Failure		&
!20$:	RET					;No Node Name		&
!		.END							&
!									&
!----------------------------- Example ---------------------------------&
!									&
!	$ BASIC	GETNODE							&
!	$ MACRO	GETALL							&
!	$ LINK	GETNODE,GETALL + SYS$SYSTEM:SYS.STB			&
!	$ RUN	GETNODE							&
!	You are not connected via the Network.				&
!	$ SET HOST 0							&
!	Username:							&
!	Password:							&
!	$ RUN	GETNODE							&
!	You are coming from BEAGLE::BONGARTZ				&
!	$ LOGOUT							&
!	Control returned to node _BEAGLE::				&
!	$ LOGOUT							&
!	BONGARTZ       logged out on 06-Sep-1984 07:38:03.21		&
!-----------------------------------------------------------------------&