[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::hackers_v1

Title:-={ H A C K E R S }=-
Notice:Write locked - see NOTED::HACKERS
Moderator:DIEHRD::MORRIS
Created:Thu Feb 20 1986
Last Modified:Mon Aug 03 1992
Last Successful Update:Fri Jun 06 1997
Number of topics:680
Total number of notes:5456

265.0. "Finding the culprit" by ASGMKA::TOMAS (Joe) Tue Jun 24 1986 09:15

    A friend of mine has been "bothered" a couple of times by someone
    who is using one of the "Bother-type" routines floating around on
    the net.  
    
    Question:  Not being one who understands all the intracies of the
               Vax, is it possible to trace back to the originator of
               these messages?  
    
    Thanx...
    
    -j-
T.RTitleUserPersonal
Name		DateLines
265.1NETSERVER Never LiesHITECH::DEMERSLeo DemersTue Jun 24 1986 09:217
    
        Yep,  Just Look at your systems default DECNET account
        and look at your NETSERVER.LOG's (You might need to 
        use BACKUP/IGNORE=INTER to get the ones currently opened)
        Then just look for people running PHONE at the time of
        the annoyance.  - Leo Who found out who's was BOTHERing him.
265.2GALLO::RASPUZZIMichael RaspuzziTue Jun 24 1986 11:046
    Can the same thing be done if the annoyer is on the same machine?
    
    If it is a remote culprit, then .1 is right. The phone object number
    I think is 27 (that may help when looking at the .LOG file).
    
    Mike who has also caught net jokers.
265.3addendum de la errata11714::MCPHERSONIt's my life and it's my wife.Tue Jun 24 1986 12:006
    re.2
    
    I think the PHONE object is number is 29.
    
    /doug
265.4Make sure NETSERVER.log isn't auto-purged 'thoSUBSYS::LAWLERN9910QThu Jun 26 1986 08:2113
    
    Have the victim write down the exact time of the ocurrance
    and search the decnet logs for short (under a minute) phone
    connections which occurred at the same time.  You may have 
    to modify the startnet comfile to not automatically purge
    old netserver.logs.  Incidently, we had the same sort of
    thing happen here by somebody who was not completely fluent
    in english.  The grammar mistake in the bother message gave
    him away instantly...
    
    
    					al
265.5ACCOUNTING does that tooTUNDRA::HARRIMANMon Jul 28 1986 10:2911
    We had some of the same problems here in Burlington Vt... Even with
    auto-purge of the DECNET accounts we have been able to catch probing
    types using, of all things, the ACCOUNTING utility. Don't forget
    that ACCOUNTING keeps info on all sorts of things, like who originated
    a network link and such. We don't do image accounting, but the PHONE
    utility leaves a definite characteristic trace (7 image activations,
    always a network process, etc). And it can be used on a system when
    normal interactive logins are disabled.... Any of you system types
    can go at it if you like being a detective...
    
    -pjh