[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::hackers_v1

Title:-={ H A C K E R S }=-
Notice:Write locked - see NOTED::HACKERS
Moderator:DIEHRD::MORRIS
Created:Thu Feb 20 1986
Last Modified:Mon Aug 03 1992
Last Successful Update:Fri Jun 06 1997
Number of topics:680
Total number of notes:5456

532.0. "His first or last name? :+)" by SNDBOX::SMITH (William P.N. (WOOKIE::) Smith) Tue Aug 18 1987 09:42

    I occasionally get entries in my operator.log file showing that
    CSCMA::20A02073 has been talking to my DECNET account, is this a
    for-real user name, or some strange task or what?
    
    Willie
T.RTitleUserPersonal
Name		DateLines
532.1ANNECY::ROBERTSNigel@AEO, DTN 887-4077Tue Aug 18 1987 13:193
    Looks rather like a process-id to me.
    
    Nigel
532.2random network links?FROST::HARRIMANno caps lock hereTue Aug 18 1987 15:3610
    
    What was the process doing to your DECNET account? Any ideas how
    many images it invoked, how much virtual memory it used, etc?
    
    We get those too. I always assumed they were just random objects
    like pasthru mail processes that have no real names, just pids which
    you could trace if you really had to (I have never had to).
    
    /pjh
532.3Pick oneWKRP::LENNIGDave, SWS, @CYO CincinnatiTue Aug 18 1987 17:286
    I believe you get PIDs when
    1) SET EXECUTOR DEFAULT PROXY [INCOMING or NONE]  or
    2) SET OBJECT name PROXY [INCOMING or NONE] or
    3) NODE"":: explicit null access control string format is used
    
    Dave
532.4No proxies..SNDBOX::SMITHWilliam P.N. (WOOKIE::) SmithThu Aug 20 1987 18:496
    Must have been 3), neither the FAL log nor the operators log gave
    any clue as to who it was or what they were doing.  I usually toss
    the FAL logs after I've checked them over, so I can't recheck....
    
    Willie
532.5Addendum to .3WKRP::LENNIGDave, SWS, @CYO CincinnatiFri Aug 21 1987 11:015
    All three cases I describe are in the context of the originating
    node, not the destination. In particular, cases one and two imply
    that OUTGOING PROXY is disabled.
    
    Dave
532.6REMACP?AUNTB::SOEHLOn to Mt. PilotFri Aug 21 1987 13:319
    If you do an "$ncp show know objects" you will see some of them
    have a pid of a detached process (like REMACP) associated with them.
    I wonder if accounting might not tell you something about that time
    frame.  For example, if someone does a "set host" to your machine,
    it will tell you the node that it came from, and their remote username.
    
    Hope this helps
    
    Patrick
532.7Username can look like PIDDELNI::CANTORDave C.Tue Aug 25 1987 04:4819
      In your SYS$SYLOGIN (I assume you have one), put the commands
      
      $ IF F$MODE() .EQS. "NETWORK" THEN SHOW LOGICAL SYS$NET
      
      Examine the NETSERVER.LOG files.  The result of the SHOW command
      will be something like
      
          "CSCMA::0=20A02073/..............................."
      or
          "CSCMA::0=20A02073    /..........................."
      
      If the number of characters between the equal sign and the
      slash is 8, it's a PID, if 12, it's a username.
      
      There's no reason a hacker with privilege couldn't create
      a username 20A02073 in order to make someone at the destination
      node think they were seeing a PID, but now you know better.
      
      Dave C.