This is an example of select output produced by our automated Unix audit tool. As in any such sample, it demonstrates only a small subset of the vulnerabilities that this tool can detect and report on, and the results are specific to the configuration requirements, but it should give you a good flavor for the sort of output this tool produces and how these results can be used to improve protection. We have removed some of this report for length and changed the names to protect anonymity.
====================================================
Tracer Starting Engines on all.net by fc.
Thu Mar 7 11:10:49 EST 1996
Copyright (c), 1995-6 Management Analytics
All Rights Reserved
====================================================
======>> Start:Checking for undesired network services.
The following services are detected as undesired.
If any of them are desired, remove them from
the bad services list to eliminate future notices.
+++ NOTICE login services are not used. In /etc/inetd.conf change:
FROM: login stream tcp nowait root /usr/etc/tcpd in.rlogind
TO: # login stream tcp nowait root /usr/etc/tcpd in.rlogind
+++ NOTICE shell services are not used. In /etc/inetd.conf change:
FROM: shell stream tcp nowait root /usr/etc/tcpd in.rshd
TO: # shell stream tcp nowait root /usr/etc/tcpd in.rshd
+++ NOTICE echo services are not used. In /etc/services change:
FROM: echo 7/tcp
TO: # echo 7/tcp
FROM: echo 7/udp
TO: # echo 7/udp
+++ NOTICE chargen services are not used. In /etc/services change:
FROM: chargen 19/tcp ttytst source
TO: # chargen 19/tcp ttytst source
FROM: chargen 19/udp ttytst source
TO: # chargen 19/udp ttytst source
+++ NOTICE systat services are not used. In /etc/services change:
FROM: systat 11/tcp users
TO: # systat 11/tcp users
+++ NOTICE netstat services are not used. In /etc/services change:
FROM: netstat 15/tcp
TO: # netstat 15/tcp
+++ NOTICE tftp services are not used. In /etc/services change:
FROM: tftp 69/udp
TO: # tftp 69/udp
+++ NOTICE link services are not used. In /etc/services change:
FROM: link 87/tcp ttylink
TO: # link 87/tcp ttylink
+++ NOTICE supdup services are not used. In /etc/services change:
FROM: supdup 95/tcp
TO: # supdup 95/tcp
+++ NOTICE sunrpc services are not used. In /etc/services change:
FROM: sunrpc 111/tcp
TO: # sunrpc 111/tcp
FROM: sunrpc 111/udp
TO: # sunrpc 111/udp
+++ NOTICE NeWS services are not used. In /etc/services change:
FROM: NeWS 144/tcp news # Window System
TO: # NeWS 144/tcp news # Window System
+++ NOTICE exec services are not used. In /etc/services change:
FROM: exec 512/tcp
TO: # exec 512/tcp
+++ NOTICE login services are not used. In /etc/services change:
FROM: login 513/tcp
TO: # login 513/tcp
+++ NOTICE shell services are not used. In /etc/services change:
FROM: shell 514/tcp cmd # no passwords used
TO: # shell 514/tcp cmd # no passwords used
+++ NOTICE printer services are not used. In /etc/services change:
FROM: printer 515/tcp spooler # line printer spooler
TO: # printer 515/tcp spooler # line printer spooler
+++ NOTICE biff services are not used. In /etc/services change:
FROM: biff 512/udp comsat
TO: # biff 512/udp comsat
+++ NOTICE who services are not used. In /etc/services change:
FROM: who 513/udp whod
TO: # who 513/udp whod
+++ NOTICE whois services are not used. In /etc/services change:
FROM: whois 43/tcp nicname # usually to sri-nic
TO: # whois 43/tcp nicname # usually to sri-nic
+++ NOTICE syslog services are not used. In /etc/services change:
FROM: syslog 514/udp
TO: # syslog 514/udp
+++ NOTICE uucp services are not used. In /etc/services change:
FROM: uucp 540/tcp uucpd # uucp daemon
TO: # uucp 540/tcp uucpd # uucp daemon
+++ NOTICE talk services are not used. In /etc/services change:
FROM: talk 517/udp
TO: # talk 517/udp
+++ NOTICE rmonitor services are not used. In /etc/services change:
FROM: rmonitor 560/udp rmonitord # experimental
TO: # rmonitor 560/udp rmonitord # experimental
+++ NOTICE monitor services are not used. In /etc/services change:
FROM: monitor 561/udp # experimental
TO: # monitor 561/udp # experimental
+++ NOTICE route services are not used. In /etc/services change:
FROM: route 520/udp router routed
TO: # route 520/udp router routed
<<=== End:Undesirable network services test done.
======>> Start:Checking /etc/hosts.equiv file.
No /etc/hosts.equiv file found.
<<=== End:Done checking /etc/hosts.equiv.
======>> Start:Checking for .rhosts and .netrc files.
++++ WARNING Found .rhosts file in /u/fc
Verify the propriety of this file with fc [Fred Cohen].
Either the user has created an .rhosts file to allow
remote entry from another host without a password, or
an attacker has planted the file for future entry.
++++ WARNING Found .rhosts file in /u/fc
Verify the propriety of this file with Sfc [Fred Cohen SLIP Line].
Either the user has created an .rhosts file to allow
remote entry from another host without a password, or
an attacker has planted the file for future entry.
++++ WARNING Found .rhosts file in /u/iw
Verify the propriety of this file with iw [Information Warfare Mailing List].
Either the user has created an .rhosts file to allow
remote entry from another host without a password, or
an attacker has planted the file for future entry.
++++ WARNING Found .rhosts file in /u/game
Verify the propriety of this file with game [WarGame].
Either the user has created an .rhosts file to allow
remote entry from another host without a password, or
an attacker has planted the file for future entry.
++++ WARNING Found .rhosts file in /u/ml
Verify the propriety of this file with ml [Mailing List Reception].
Either the user has created an .rhosts file to allow
remote entry from another host without a password, or
an attacker has planted the file for future entry.
<<=== End:Done checking for .rhosts and .netrc files.
======>> Start:Checking for NFS holes.
Your system is not apparently running the NFS daemon at this time.
Your NFS daemon will currently export file systems as follows:
/tmp localhost
/tmp all.net
/tmp unix
Verify that this is correct. Remember that remote access to your
NFS mounted file systems can be attained by packet forgery
and be certain that you provide other protection to prevent that
eventuality. If it should be changed, edit the /etc/exports
file to correct the situation.
***** DANGER - NFS to local domains as indicated below is unsafe:
/tmp localhost
The following lines may allow access from machines outside of
your local domain. This should not be allowed if at all avoidable.
To correct this, edit these lines out of the /etc/exports file.
/tmp localhost
/tmp all.net
/tmp unix
If you plan on exporting file systems with NFS, some increased protection
can be provided by running 'fsrand' on the exported file systems and
using the 'secure' NFS option if available. Check vendor documentation
for further details.
<<=== End:Done checking for NFS holes.
======>> Start:Checking for /etc/hosts.lpd holes.
No /etc/hosts.lpd file.
<<=== End:Done checking for /etc/hosts.lpd holes.
======>> Start:Checking /etc/ttytab, /etc/ttys, and /usr/lib/X11/xdm/Xsession.
No content problems identified in /etc/ttytab.
No content problems identified in /etc/ttys.
/usr/lib/X11/xdm/Xsession not found.
<<=== End:Done checking /etc/ttytab /etc/ttys /usr/lib/X11/xdm/Xsession.
======>> Start:Checking tcp wrappers setup.
all: all found in /etc/hosts.deny - it seems appropriate:
ALL: ALL: spawn (/usr/etc/safe_finger -l @%h | /usr/ucb/mail -s %d-%u@%h fc;cat /etc/nomisc | /usr/ucb/mail -s Attempted-entry-%d-by-%u@%h postmaster@%h) & : deny
<<=== End:Done checking tcp wrappers setup.
======>> Start:Checking /etc/aliases for decode threat.
*** NOTICE: Piped executables found in /etc/aliases.
Verify all programs named in the following lines:
game: "|/u/game/bin/game"
ml: "|/u/ml/bin/ml"
to make certain that they are trustworth and properly protected.
<<=== End:Done checking /etc/aliases.
======>> Start:Checking /etc/sendmail.cf and sendmail.
*****WARNING - Sendmail is VERY dangerous. Make certain
that you have the latest version, and all updates. Also
try the remote testing service at http://all.net/ for external
tests of sendmail and other external holes.
No common sendmail weaknesses found.
/etc/sendmail.cf appears to have proper logging levels set.
<<=== End:Done checking /etc/sendmail.cf.
======>> Start:Checking /etc/passwd contents.
++ Note that user 'nobody' is not able to login. You may want to remove this
user ID if it is not a special user ID used for remote access.
++ Note that user 'sys' is not able to login. You may want to remove this
user ID if it is not a special user ID used for remote access.
++ Note that user 'bin' is not able to login. You may want to remove this
user ID if it is not a special user ID used for remote access.
++ Note that user 'uucp' is not able to login. You may want to remove this
user ID if it is not a special user ID used for remote access.
++ Note that user 'news' is not able to login. You may want to remove this
user ID if it is not a special user ID used for remote access.
++ Note that user 'audit' is not able to login. You may want to remove this
user ID if it is not a special user ID used for remote access.
****EXTREMELY DANGEROUS - mud is a pseudonym for root.
It is likely that this is the result of an attack and is
being used as a point of reentry to the system as root.
Immediately remove this entry from your /etc/passwd file:
mud - Test MUD
++ Note that user 'www' is not able to login. You may want to remove this
user ID if it is not a special user ID used for remote access.
++ Note that user 'exec' is not able to login. You may want to remove this
user ID if it is not a special user ID used for remote access.
++ Note that user 'proxy' is not able to login. You may want to remove this
user ID if it is not a special user ID used for remote access.
++ Note that user 'iw' is not able to login. You may want to remove this
user ID if it is not a special user ID used for remote access.
++ Note that user 'game' is not able to login. You may want to remove this
user ID if it is not a special user ID used for remote access.
++ Note that user 'ml' is not able to login. You may want to remove this
user ID if it is not a special user ID used for remote access.
<<=== End:Done checking /etc/passwd contents.
======>> Start:Checking FTP Daemon for SITE EXEC.
SITE EXEC appears to be disabled.
<<=== End:Done checking FTP Daemon for SITE EXEC.
======>> Start:Checking FTP setup.
User 'root' should not be permitted remote ftp access
Add the following line to /etc/ftpusers to repair this:
root
User 'nobody' should not be permitted remote ftp access
Add the following line to /etc/ftpusers to repair this:
nobody
<<=== End:Done checking FTP setup.
======>> Start:Checking RCfiles.
<<=== End:Done checking RCfiles.
======>> Start:Checking for attackable terminal types.
The following entries represent terminals that allow
the terminal gone awry attack. This permits attackers
to send messages to the terminal, possible even via email
and cause those messages to be stored in the vt100
for replay. The replay can potentially launch arbitrary attacks.
Consider changing the terminal types on these terminals
or disabling this feature/hole:
console "/usr/etc/getty cons8" vt100 on local secure
<<=== End:Done checking attackable terminal types.
======>> Start:Checking for non-default user umasks.
Umask set (fc) by /u/fc/.cshrc:
umask 077
Umask set (Sfc) by /u/fc/.cshrc:
umask 077
<<=== End:Done checking user umasks.
======>> Start:Checking Root file protections and ownerships.
No such file as /etc/hosts.equiv.
No such file as /etc/hosts.lpd.
<<=== End:Done checking Root file protections and ownerships.
======>> Start:Checking select system file permissions.
<<=== End:Done checking select system file permissions.
======>> Start:Checking sm file permissions.
No such file as /etc/sm.bak.
<<=== End:Done checking sm file permissions.
======>> Start:Checking /usr/lib/expreserve (if before 1992).
***** Danger - /usr/lib/expreserve should be protected 0400.
Use 'chmod 0400 /usr/lib/expreserve' as root to fix this.
<<=== End:Done checking /usr/lib/expreserve.
======>> Start:Checking critical directories.
<<=== End:Done checking critical directories.
======>> Start:Checking critical directory contents and recursive dependencies.
Checking /var
***** Danger - /var/tmp should ONLY be writable by its owner.
Use 'chmod g-w /var/tmp' to repair this.
Checking /bin
+++ Dependency - /etc/termcap (/bin/csh) should only be writable by its owner.
Use 'chmod g-w /etc/termcap' to repair this.
+++ Dependency - /dev/rmt12 (/bin/mt) should only be writable by its owner.
Use 'chmod g-w /dev/rmt12' to repair this.
+++ Dependency - /dev/log (/etc/sendmail.fc) should only be writable by its owner.
Use 'chmod g-w /dev/log' to repair this.
+++ Dependency - /var/spool/mail/ (/bin/mail) should only be writable by its owner.
Use 'chmod g-w /var/spool/mail/' to repair this.
+++ Dependency - /var/spool/mail (/usr/lib/sendmail) should only be writable by its owner.
Use 'chmod g-w /var/spool/mail' to repair this.
+++ Dependency - /var/spool/secretmail (/bin/enroll) should only be writable by its owner.
Use 'chmod g-w /var/spool/secretmail' to repair this.
Checking /usr/bin
Checking /usr/ucb
+++ Dependency - /usr/local/bin (/usr/ucb/whereis) should be owned by a system user.
Use 'chown' to repair this.
Checking /etc
+++ Dependency - /dev/des (/usr/lib/libc.so.1.9.1) should only be writable by its owner.
Use 'chmod g-w /dev/des' to repair this.
+++ Dependency - /usr/spool/mail (/usr/lib/libXaw.so.5.0) should only be writable by its owner.
Use 'chmod g-w /usr/spool/mail' to repair this.
***** Danger - /etc/dumpdates should ONLY be writable by its owner.
Use 'chmod g-w /etc/dumpdates' to repair this.
+++ Dependency - /dev/ttyd (/etc/halt) should only be writable by its owner.
Use 'chmod g-w /dev/ttyd' to repair this.
***** Danger - /etc/aliases.pag should ONLY be writable by its owner.
Use 'chmod g-w /etc/aliases.pag' to repair this.
Checking /usr/etc
***** Danger - /usr/etc/termcap should ONLY be writable by its owner.
Use 'chmod g-w /usr/etc/termcap' to repair this.
+++ Dependency - /dev/dump (/usr/etc/savecore) should only be writable by its owner.
Use 'chmod g-w /dev/dump' to repair this.
***** Danger - /usr/etc/in.unfsd should be owned by a system user.
Use 'chown' to correct this.
+++ Dependency - /u/www (/usr/etc/in.thttpd) should be owned by a system user.
Use 'chown' to repair this.
+++ Dependency - /u/www/gopher (/usr/etc/in.gopherd) should be owned by a system user.
Use 'chown' to repair this.
+++ Dependency - /v/gopher (/usr/etc/in.gopherd2) should be owned by a system user.
Use 'chown' to repair this.
+++ Dependency - /u/proxy/log (/usr/etc/in.proxyd) should be owned by a system user.
Use 'chown' to repair this.
+++ Dependency - /u/proxy/log (/usr/etc/in.proxyd) should only be writable by its owner.
Use 'chmod g-w /u/proxy/log' to repair this.
+++ Dependency - /u/proxy (/usr/etc/in.proxyd) should be owned by a system user.
Use 'chown' to repair this.
+++ Dependency - /u/exec (/usr/etc/in.httpexec) should be owned by a system user.
Use 'chown' to repair this.
+++ Dependency - /u/web (/usr/etc/in.thttpd2) should be owned by a system user.
Use 'chown' to repair this.
Checking /usr/kvm
Checking /usr/lib
+++ Dependency - /usr/tmp/ (/usr/lib/libc.a) should only be writable by its owner.
Use 'chmod g-w /usr/tmp/' to repair this.
<<=== End:Done checking critical directory contents and recursive dependencies.
====================================================
Process Status Tests Now Starting
====================================================
======>> Start:Checking root processes [01]
Swapper checks out OK.
Pager checks out OK.
Init checks out OK.
Portmapper checks out OK.
The syslogd daemon checks out OK.
The update daemon checks out OK.
The cron daemon checks out OK.
The inetd daemon checks out OK.
Verify that the following terminals should be actively awaiting login:
USER PID %CPU %MEM SZ RSS TT STAT START TIME COMMAND
root 127 0.0 0.0 56 0 co IW Feb 4 0:00 - cons8 console (getty)
root 129 0.0 0.0 56 0 d IW Feb 4 0:00 - std.38400 ttyd (getty)
root 9909 0.0 0.0 56 0 c IW 17:15 0:00 - std.38400 ttyc (getty)
The following unidentified root processes are running.
Please verify that they are supposed to be running as root.
USER PID %CPU %MEM SZ RSS TT STAT START TIME COMMAND
root 110 0.0 0.0 1056 0 ? IW Feb 4 0:08 /u/w3/httpd
root 11490 0.0 0.0 56 0 ? IW Mar 6 2:38 in.rlogind
root 17613 0.0 1.4 248 424 b S < Feb 15132:22 pppd [up, du0, ttyb, 38.
<<=== End:Done checking root processes.
======>> Start:Checking for zombie processes.
<<=== End:Done checking for zombie processes.
======>> Start:Checking for old processes.
nobody 9991 0.0 0.0 40 0 ? IWN Mar 4 0:00 sh
nobody 9992 0.0 0.0 40 0 ? IWN Mar 4 0:00 /bin/sh
nobody 9998 0.0 0.0 48 0 ? IWN Mar 4 0:01 /bin/tee -a /u/w3/logs/s
nobody 11447 0.0 0.4 96 128 ? S-N Mar 4 0:21 /u/w3/htdocs/cgi-bin/nfs
<<=== End:Done checking for old processes.
======>> Start:Checking non-root non-user processes.
No processes found for privileged user daemon.
No processes found for privileged user sys.
No processes found for privileged user bin.
No processes found for privileged user uucp.
No processes found for privileged user news.
No processes found for privileged user audit.
No processes found for privileged user postmaster.
No processes found for privileged user sync.
<<=== End:Done checking non-root non-user processes.
======>> Start:Checking user processes.
The following processes belong to regular users on your system.
Please verify that they are appropriate in your environment.
USER PID %CPU %MEM SZ RSS TT STAT START TIME COMMAND
fc 5529 0.0 0.0 40 0 p4 IW Mar 6 0:00 -sh (sh)
fc 9542 31.6 1.8 224 552 p6 R 11:19 0:00 ps -aux
fc 11491 0.0 0.0 48 0 p6 IW Mar 6 0:01 -sh (sh)
game 5528 0.0 0.0 32 0 p2 IW Mar 6 0:00 -sh (sh)
iw 5514 0.0 0.0 40 0 p0 IW Mar 6 0:00 -sh (sh)
<<=== End:Done checking user processes.
====================================================
Process Status Tests Now Completed.
====================================================
======>> Start:Checking /etc/passwd by guessing.
Starting with 24 accounts to try
Trying some well-known passwords
- locked password for nobody (65534) - 23 accounts left to go.
- locked password for daemon (1) - 22 accounts left to go.
- locked password for sys (2) - 21 accounts left to go.
- locked password for bin (3) - 20 accounts left to go.
- locked password for uucp (4) - 19 accounts left to go.
- locked password for news (6) - 18 accounts left to go.
- locked password for audit (9) - 17 accounts left to go.
- locked password for postmaster (10) - 16 accounts left to go.
- locked password for sync (1) - 15 accounts left to go.
- locked password for www (150) - 14 accounts left to go.
- locked password for exec (151) - 13 accounts left to go.
- locked password for proxy (160) - 12 accounts left to go.
- locked password for iw (102) - 11 accounts left to go.
- locked password for game (104) - 10 accounts left to go.
- locked password for ml (105) - 9 accounts left to go.
Trying User IDs and GCOS information spelled forward and backward.
Trying all 1-symbol passwords (89 of them).
Trying password dictionary entries (1427 of them).
<<=== End:Done checking /etc/passwd by guessing.
======>> Start:Checking file system settings.
Checking for various files - it takes a while to do this...
No .exrc files found
No .forward files found.
Verify the requirement for and contents of these .rhosts files.
-rw-r--r-- 1 fc 8 Dec 24 13:03 /u/fc/.rhosts
-rw-r--r-- 1 iw 8 Nov 23 10:00 /u/iw/.rhosts
-rw-r--r-- 1 game 8 Dec 29 17:12 /u/game/.rhosts
-rw-r--r-- 1 ml 8 Jan 5 16:30 /u/ml/.rhosts
<<=== End:Done checking file system settings.
======>> Start:Checking directories for world writables.
The following directories are world writable. No directories should
be world writable unless they are temporary known areas or used for some
special application, and in these cases, they should be closely watched
for abuse. To make them non-world writable type 'chmod o-w ' as root.
drwxrwsrwx 3 daemon 512 Nov 7 1994 /usr/games/lib/hackdir
drwxrwsrwx 2 root 512 Aug 3 1994 /usr/local/pkg/emacs-19.25/lib.emacs/lock_orig
drwxrwsrwt 2 root 512 Mar 7 11:53 /var/spool/mail
drwxrwsrwt 2 uucp 512 Dec 24 09:27 /var/spool/uucppublic
drwxrwsrwx 2 bin 512 Oct 11 1990 /var/spool/secretmail
drwxrwsrwx 2 bin 512 Mar 7 11:19 /var/tmp
drwxrwxrwx 2 fc 3584 Mar 6 22:13 /u/w3/logs/scans
drwxrwxrwx 2 iw 512 Jan 2 06:02 /u/iw/old/game
drwxrwxrwx 3 game 512 Jan 13 09:07 /u/game/game-96-01
drwxrwxrwx 2 ml 512 Jan 27 08:24 /u/ml/ml
drwxrwxrwx 2 fc 1024 Mar 6 20:29 /u/www/gopher/IW/1996
drwxrwxrwx 2 fc 13824 Mar 6 22:12 /v/scans
drwxrwxrwx 2 fc 5632 Jun 9 1995 /v/oldscans2
<<=== End:Done checking directories for world writables.
======>> Start:Checking for world writable files.
The following files are world writable. No files should be world
writable unless there is a very good reason. Make these files
non-world writable by typing 'chmod o-w ' as root.
-rw-rw-rw- 1 fc 23 Mar 2 08:15 /tmp/.Sendmail
-rw-rw-rw- 1 nobody 23 Mar 4 19:33 /tmp/colciencias.colciencias.gov.co.Sendmail
-rw-rw-rw- 1 root 406 Dec 6 1994 /usr/games/lib/battlestar.log
-rw-rw-rw- 1 bin 0 Oct 13 1993 /usr/games/lib/cfscores
-rw-rw-rw- 1 fc 0 Mar 7 11:53 /var/spool/mail/fc
-rw-rw-rw- 1 iw 0 Mar 7 06:35 /var/spool/mail/iw
-rw-rw-rw- 1 proxy 289 Oct 3 18:28 /u/proxy/log
-rw-rw-rw- 1 fc 215106 Mar 6 15:34 /u/exec/log
-rw-rw-rw- 1 iw 1681 Dec 29 09:33 /u/iw/old/game/history
-rw-rw-rw- 1 iw 436 Dec 29 09:33 /u/iw/old/game/sendlog
-rw-rw-rw- 1 fc 5467 Mar 4 19:17 /u/web/log
-rw-rw-rw- 1 fc 3678480 Mar 7 11:59 /u/www/log
-rw-rw-rw- 1 fc 10712 Jan 26 19:26 /u/www/cryptolog
<<=== End:Done checking for world writable files.
======>> Start:Checking for SetUID and SetGID files.
The following files are SetUID or SetGID. Files should only be
protected this way if they are designed to allow unlimited access
to the owner's files or if they are specially designed to be secure.
-rws--x--x 1 root 40960 May 21 1994 /usr/bin/login
-rwsr-xr-x 5 root 32768 Oct 13 1993 /usr/bin/passwd
*** Multiple links for SetUID files are usually inappropriate.
Please remove inappropriate links using the 'unlink' command.
-rwxr-sr-x 1 root 5608 Oct 13 1993 /usr/bin/wall
-rwxr-sr-x 1 root 16384 Oct 13 1993 /usr/bin/write
-rwsr-xr-x 1 root 40960 May 17 1994 /usr/bin/at
-rwsr-xr-x 5 root 32768 Oct 13 1993 /usr/bin/ypchfn.not
*** Multiple links for SetUID files are usually inappropriate.
Please remove inappropriate links using the 'unlink' command.
-rwsr-xr-x 1 root 7144 Oct 13 1993 /usr/bin/su
-rwxr-sr-x 1 root 8848 Oct 13 1993 /usr/bin/df
-rwsr-xr-x 5 root 32768 Oct 13 1993 /usr/bin/chfn_orig
*** Multiple links for SetUID files are usually inappropriate.
Please remove inappropriate links using the 'unlink' command.
-rwsr-xr-x 5 root 32768 Oct 13 1993 /usr/bin/chsh_orig
*** Multiple links for SetUID files are usually inappropriate.
Please remove inappropriate links using the 'unlink' command.
-rwsr-xr-x 5 root 32768 Oct 13 1993 /usr/bin/ypchsh.not
*** Multiple links for SetUID files are usually inappropriate.
Please remove inappropriate links using the 'unlink' command.
-rwsr-xr-x 1 root 16446 Oct 13 1993 /usr/etc/ping
-rwsr-x--- 1 root 270336 Jan 5 1995 /usr/etc/pppd
-rwsr-xr-x 1 root 24576 Feb 17 1995 /usr/etc/tTraceroute
-rwxr-sr-x 1 root 42984 May 17 1994 /usr/kvm/ps
-rwxr-sr-x 1 root 32768 Oct 13 1993 /usr/kvm/w
-rwsr-xr-x 1 root 155648 Feb 24 1995 /usr/lib/sendmail.nomx
-rwsr-xr-x 1 root 466944 Jul 21 1994 /usr/lib/sendmail.d
-rwsr-xr-x 1 root 172032 Feb 24 1995 /usr/lib/sendmail
-rwsr-xr-x 1 root 57344 Mar 5 1994 /usr/local/bin/procmail
*** DANGER - /usr/local/bin/procmail is SetUID to root and not in a system directory.
Investigate and remove /usr/local/bin/procmail using
'rm /usr/local/bin/procmail' unless this exception is appropriate.
If this exception is appropriate, please update the exception list
to eliminate future warnings.
-rws--x--x 1 fc 90112 May 1 1995 /usr/local/bin/skey.init
-rwxr-sr-x 1 fc 368640 Mar 5 1994 /usr/local/bin/elm.old
-rwxr-sr-x 1 root 49152 Oct 13 1993 /usr/ucb/talk
-rwsr-xr-x 1 root 24576 Oct 13 1993 /usr/ucb/quota
-rwsr-xr-x 1 root 106558 Oct 13 1993 /usr/ucb/rcp
-rwsr-xr-x 1 root 24576 Oct 13 1993 /usr/ucb/rlogin
-rwsr-x--- 1 root 270336 Jan 6 1995 /etc/pppd
-rwsr-xr-x 1 root 24576 Sep 27 1994 /u/fc/bin/access
*** DANGER - /u/fc/bin/access is SetUID to root and not in a system directory.
Investigate and remove /u/fc/bin/access using
'rm /u/fc/bin/access' unless this exception is appropriate.
If this exception is appropriate, please update the exception list
to eliminate future warnings.
-rwsr-xr-x 1 root 98304 Aug 24 1995 /u/fc/bin/lsof
*** DANGER - /u/fc/bin/lsof is SetUID to root and not in a system directory.
Investigate and remove /u/fc/bin/lsof using
'rm /u/fc/bin/lsof' unless this exception is appropriate.
If this exception is appropriate, please update the exception list
to eliminate future warnings.
-rwsr-xr-x 1 root 32768 Apr 11 1995 /u/fc/audit/InTest/satan/bin/udp_scan
*** DANGER - /u/fc/audit/InTest/satan/bin/udp_scan is SetUID to root
and not in a system directory.
Investigate and remove /u/fc/audit/InTest/satan/bin/udp_scan using
'rm /u/fc/audit/InTest/satan/bin/udp_scan' unless this exception is appropriate.
If this exception is appropriate, please update the exception list
to eliminate future warnings.
-rwsr-xr-x 1 root 32768 Apr 11 1995 /u/w3/htdocs/satan/bin/udp_scan
*** DANGER - /u/w3/htdocs/satan/bin/udp_scan is SetUID to root
and not in a system directory.
Investigate and remove /u/w3/htdocs/satan/bin/udp_scan using
'rm /u/w3/htdocs/satan/bin/udp_scan' unless this exception is appropriate.
If this exception is appropriate, please update the exception list
to eliminate future warnings.
<<=== End:Done checking for SetUID and SetGID files.
======>> Start:Checking for changes in system files.
Change control database found and being used.
Checking for changes in existing files.
Checking /var
Checking /bin
Checking /usr/bin
Checking /usr/ucb
Checking /etc
*** '/etc/passwd' has changed as follows:
The modification time changed.
The status change time changed.
The contents (md5 checksum) changed.
*** '/etc/passwd.old.9603' is new!
Checking /usr/etc
Checking /usr/kvm
Checking /usr/lib
Checking for files in the database but not in the system.
*** '/etc/oldpasswd' is missing.
<<=== End:Done checking for changes in system files.
======>> Start:Checking audit file contents.
In the following analysis, organizational policy dictates how to respond
to the indicated items. Refer to your standards and procedures manuals for
details on proper response, or contact your incident response team for detailed
analysis of these indications.
Checking /var/log/syslog
Ignoring ' twist '
Ignoring 'in.thttpd\['
Ignoring 'FROM all.net'
Ignoring 'refused by'
Ignoring 'in.redirect'
Ignoring 'in.identd'
Ignoring 'SYSERR: net hang reading from'
Looking for 'to=bounce'
The following entries (if any) are indicative of intentional attacks
on the Sendmail mail server software. Further investigation is warranted.
Mar 1 15:55:22 all sendmail[24056]: AA24056: to=bounce, delay=00:00:00, stat=User unknown
Mar 1 17:14:56 all sendmail[1270]: AA01270: to=bounce, delay=00:00:00, stat=User unknown
Mar 1 18:23:45 all sendmail[7361]: AA07361: to=bounce, delay=00:00:00, stat=User unknown
Mar 1 18:42:37 all sendmail[9207]: AA09207: to=bounce, delay=00:00:00, stat=User unknown
Mar 1 19:28:22 all sendmail[12949]: AA12949: to=bounce, delay=00:00:00, stat=User unknown
Mar 1 20:40:03 all sendmail[18761]: AA18761: to=bounce, delay=00:00:00, stat=User unknown
Mar 1 21:49:49 all sendmail[25561]: AA25561: to=bounce, delay=00:00:00, stat=User unknown
Mar 1 22:06:22 all sendmail[26943]: AA26943: to=bounce, delay=00:00:00, stat=User unknown
Mar 1 23:37:54 all sendmail[5019]: AA05019: to=bounce, delay=00:00:00, stat=User unknown
Mar 2 08:39:46 all sendmail[10525]: AA10525: to=bounce, delay=00:00:00, stat=User unknown
Mar 2 08:50:04 all sendmail[11453]: AA11453: to=bounce, delay=00:00:00, stat=User unknown
Mar 2 09:27:46 all sendmail[14067]: AA14067: to=bounce, delay=00:00:01, stat=User unknown
Mar 2 09:32:17 all sendmail[14460]: AA14460: to=bounce, delay=00:00:00, stat=User unknown
Mar 2 10:31:54 all sendmail[18680]: AA18680: to=bounce, delay=00:00:00, stat=User unknown
Mar 2 10:43:46 all sendmail[19704]: AA19704: to=bounce, delay=00:00:00, stat=User unknown
Mar 2 16:45:51 all sendmail[11009]: AA11009: to=bounce, delay=00:00:00, stat=User unknown
Mar 2 17:12:25 all sendmail[13547]: AA13547: to=bounce, delay=00:00:00, stat=User unknown
Mar 2 22:19:07 all sendmail[2925]: AA02925: to=bounce, delay=00:00:00, stat=User unknown
Mar 3 07:39:24 all sendmail[4344]: AA04344: to=bounce, delay=00:00:00, stat=User unknown
Mar 3 07:57:17 all sendmail[5720]: AA05720: to=bounce, delay=00:00:00, stat=User unknown
Mar 4 12:54:50 all sendmail[17268]: AA17268: to=bounce, delay=00:00:00, stat=User unknown
Mar 4 19:23:27 all sendmail[9600]: AA09600: to=bounce, delay=00:00:00, stat=User unknown
Looking for 'failed'
The following lines (if any) indicate possible attempts to forge IP addresses.
This can also result from improperly configured domain name servers.
Mar 7 08:53:08 all in.gopherd[29085]: warning: can't verify hostname: gethostbyname(bannana.dup.devry.edu) failed
Mar 7 16:25:25 all in.gopherd[24852]: warning: can't verify hostname: gethostbyname(r198_213_14_45.etsu.edu) failed
Looking for 'from=|'
The following entries (if any) are indicative of intentional attacks
on the Sendmail mail server software. Further investigation is warranted.
Mar 1 15:55:22 all sendmail[24056]: AA24056: from=|, size=0, class=0
Mar 1 17:14:56 all sendmail[1270]: AA01270: from=|, size=0, class=0
Mar 1 18:23:45 all sendmail[7361]: AA07361: from=|, size=0, class=0
Mar 1 18:42:37 all sendmail[9207]: AA09207: from=|, size=0, class=0
Mar 1 19:28:22 all sendmail[12949]: AA12949: from=|, size=0, class=0
Mar 1 20:40:03 all sendmail[18761]: AA18761: from=|, size=0, class=0
Mar 1 21:49:49 all sendmail[25561]: AA25561: from=|, size=0, class=0
Mar 1 22:06:22 all sendmail[26943]: AA26943: from=|, size=0, class=0
Mar 1 23:37:54 all sendmail[5019]: AA05019: from=|, size=0, class=0
Mar 2 08:39:46 all sendmail[10525]: AA10525: from=|, size=0, class=0
Mar 2 08:50:04 all sendmail[11453]: AA11453: from=|, size=0, class=0
Mar 2 09:27:46 all sendmail[14067]: AA14067: from=|, size=0, class=0
Mar 2 09:32:17 all sendmail[14460]: AA14460: from=|, size=0, class=0
Mar 2 10:31:54 all sendmail[18680]: AA18680: from=|, size=0, class=0
Mar 2 10:43:46 all sendmail[19704]: AA19704: from=|, size=0, class=0
Mar 2 16:45:51 all sendmail[11009]: AA11009: from=|, size=0, class=0
Mar 2 17:12:25 all sendmail[13547]: AA13547: from=|, size=0, class=0
Mar 2 22:19:07 all sendmail[2925]: AA02925: from=|, size=0, class=0
Mar 3 07:39:24 all sendmail[4344]: AA04344: from=|, size=0, class=0
Mar 3 07:57:17 all sendmail[5720]: AA05720: from=|, size=0, class=0
Mar 4 12:54:51 all sendmail[17268]: AA17268: from=|, size=0, class=0
Mar 4 19:23:27 all sendmail[9600]: AA09600: from=|, size=0, class=0
Looking for 'refused'
The following lines (if any) indicate attempted entries that were refused access:
Feb 27 11:24:23 all in.ftpd[18268]: refused connect from pfizergate.pfizer.com
Feb 28 00:57:43 all in.thttpd2[12682]: refused connect from shemp.bucks.edu
Feb 28 06:38:50 all in.thttpd2[16769]: refused connect from galileo.mckinley.com
Feb 28 06:38:57 all in.thttpd2[16794]: refused connect from galileo.mckinley.com
Mar 3 18:06:17 all in.thttpd2[10434]: refused connect from hd71-125.compuserve.com
Mar 3 18:06:36 all in.thttpd2[10472]: refused connect from hd71-125.compuserve.com
Mar 4 03:38:07 all in.telnetd[16226]: refused connect from ebola@terra.igcom.net
Mar 4 08:17:38 all in.gopherd[1331]: refused connect from 205.216.146.178
Mar 4 14:32:57 all in.telnetd[22958]: refused connect from cveley@gunnison.com
Mar 4 19:26:37 all in.ftpd[9914]: refused connect from very.friend.ly.net
Mar 5 14:21:53 all in.telnetd[11449]: refused connect from fc@localhost
Mar 5 22:12:36 all in.telnetd[7960]: refused connect from wfarge@gunnison.com
Mar 5 22:13:22 all in.telnetd[8010]: refused connect from wfarge@gunnison.com
Mar 5 23:59:57 all in.gopherd[13167]: refused connect from 205.216.146.178
Mar 6 13:17:32 all in.ftpd[26482]: refused connect from edmund.cs.andrews.edu
Mar 7 08:53:08 all in.gopherd[29085]: refused connect from 206.69.49.20
Mar 7 11:37:10 all in.ftpd[10231]: refused connect from noc.tor.hookup.net
Mar 7 15:24:12 all in.ftpd[21409]: refused connect from 143.211.156.105
Mar 7 16:25:25 all in.gopherd[24852]: refused connect from 198.213.14.45
Mar 7 16:46:32 all in.ftpd[26084]: refused connect from asdn.on.ca
Mar 8 09:52:26 all in.ftpd[22413]: refused connect from marlowe.physcip.uni-stuttgart.de
Mar 8 20:17:50 all in.telnetd[1057]: refused connect from maxx@osh1.datasync.com
Mar 9 04:48:26 all in.telnetd[25289]: refused connect from dhp.com
Mar 9 12:23:18 all in.gopherd[17060]: refused connect from 205.216.146.178
Looking for 'warning:'
The following lines (if any) indicate possible attempts to forge IP addresses.
This can also result from improperly configured domain name servers.
Mar 4 08:17:38 all in.gopherd[1331]: warning: host name/name mismatch: dialup-b.mv.opentext.com != j.mv.opentext.com
Mar 5 23:59:57 all in.gopherd[13167]: warning: host name/name mismatch: dialup-b.mv.opentext.com != j.mv.opentext.com
Mar 9 12:23:18 all in.gopherd[17060]: warning: host name/name mismatch: dialup-b.mv.opentext.com != j.mv.opentext.com
Looking for 'SYSERR'
The following entries (if any) are indicative of either intentional
attacks or errors in the operating environment. Further investigation is warranted.
Mar 1 15:55:25 all sendmail[24056]: AB24056: SYSERR: No valid recipients
Mar 1 15:55:25 all sendmail[24056]: AB24056: SYSERR: No valid recipients
Mar 1 17:15:00 all sendmail[1270]: AB01270: SYSERR: No valid recipients
Mar 1 17:15:00 all sendmail[1270]: AB01270: SYSERR: No valid recipients
Mar 1 18:23:48 all sendmail[7361]: AB07361: SYSERR: No valid recipients
Mar 1 18:23:48 all sendmail[7361]: AB07361: SYSERR: No valid recipients
Mar 1 18:42:40 all sendmail[9207]: AB09207: SYSERR: No valid recipients
Mar 1 18:42:40 all sendmail[9207]: AB09207: SYSERR: No valid recipients
Mar 1 19:28:25 all sendmail[12949]: AB12949: SYSERR: No valid recipients
Mar 1 19:28:25 all sendmail[12949]: AB12949: SYSERR: No valid recipients
Mar 1 20:40:07 all sendmail[18761]: AB18761: SYSERR: No valid recipients
Mar 1 20:40:07 all sendmail[18761]: AB18761: SYSERR: No valid recipients
Mar 1 21:49:53 all sendmail[25561]: AB25561: SYSERR: No valid recipients
Mar 1 21:49:53 all sendmail[25561]: AB25561: SYSERR: No valid recipients
Mar 1 22:06:25 all sendmail[26943]: AB26943: SYSERR: No valid recipients
Mar 1 22:06:25 all sendmail[26943]: AB26943: SYSERR: No valid recipients
Mar 1 23:37:57 all sendmail[5019]: AB05019: SYSERR: No valid recipients
Mar 1 23:37:57 all sendmail[5019]: AB05019: SYSERR: No valid recipients
Mar 2 08:39:49 all sendmail[10525]: AB10525: SYSERR: No valid recipients
Mar 2 08:39:49 all sendmail[10525]: AB10525: SYSERR: No valid recipients
Mar 2 08:50:07 all sendmail[11453]: AB11453: SYSERR: No valid recipients
Mar 2 08:50:07 all sendmail[11453]: AB11453: SYSERR: No valid recipients
Mar 2 09:27:49 all sendmail[14067]: AB14067: SYSERR: No valid recipients
Mar 2 09:27:49 all sendmail[14067]: AB14067: SYSERR: No valid recipients
Mar 2 09:32:20 all sendmail[14460]: AB14460: SYSERR: No valid recipients
Mar 2 09:32:20 all sendmail[14460]: AB14460: SYSERR: No valid recipients
Mar 2 10:31:57 all sendmail[18680]: AB18680: SYSERR: No valid recipients
Mar 2 10:31:57 all sendmail[18680]: AB18680: SYSERR: No valid recipients
Mar 2 10:43:49 all sendmail[19704]: AB19704: SYSERR: No valid recipients
Mar 2 10:43:49 all sendmail[19704]: AB19704: SYSERR: No valid recipients
Mar 2 16:45:54 all sendmail[11009]: AB11009: SYSERR: No valid recipients
Mar 2 16:45:54 all sendmail[11009]: AB11009: SYSERR: No valid recipients
Mar 2 17:12:29 all sendmail[13547]: AB13547: SYSERR: No valid recipients
Mar 2 17:12:29 all sendmail[13547]: AB13547: SYSERR: No valid recipients
Mar 2 22:19:10 all sendmail[2925]: AB02925: SYSERR: No valid recipients
Mar 2 22:19:10 all sendmail[2925]: AB02925: SYSERR: No valid recipients
Mar 3 07:39:27 all sendmail[4344]: AB04344: SYSERR: No valid recipients
Mar 3 07:39:27 all sendmail[4344]: AB04344: SYSERR: No valid recipients
Mar 3 07:57:21 all sendmail[5720]: AB05720: SYSERR: No valid recipients
Mar 3 07:57:21 all sendmail[5720]: AB05720: SYSERR: No valid recipients
Mar 4 12:54:53 all sendmail[17268]: AB17268: SYSERR: No valid recipients
Mar 4 12:54:53 all sendmail[17268]: AB17268: SYSERR: No valid recipients
Mar 4 19:23:30 all sendmail[9600]: AB09600: SYSERR: No valid recipients
Mar 4 19:23:30 all sendmail[9600]: AB09600: SYSERR: No valid recipients
Looking for 'LOGIN FAILURE'
The following entries (if any) indicate failed login attempts.
Numerous failed login attempts of attempted logins to normally unuses
accounts is a strong indicator of intentional attack.
Mar 3 10:49:50 all login: LOGIN FAILURE ON ttyp6 FROM unix, No
Mar 3 10:49:53 all login: LOGIN FAILURE ON ttyp6 FROM unix, No
Mar 3 10:50:03 all login: LOGIN FAILURE ON ttyp6 FROM unix, Our
Mar 3 10:50:07 all login: LOGIN FAILURE ON ttyp6 FROM unix, Our
Mar 3 10:50:17 all login: LOGIN FAILURE ON ttyp6 FROM unix, For
Mar 3 10:50:22 all login: LOGIN FAILURE ON ttyp6 FROM unix, For
Mar 3 10:50:32 all login: LOGIN FAILURE ON ttyp6 FROM unix, Have
Mar 3 10:50:35 all login: LOGIN FAILURE ON ttyp6 FROM unix, Have
Size reduction = 9737 / 3868571 = 0.251695005726921%
Done checking /var/log/syslog
Checking /usr/ucb/last
Ignoring '^fc '
Ignoring '^cp '
Ignoring '^game '
Ignoring '^iw '
Ignoring '^Sfc '
Ignoring '^ml '
Ignoring '^reboot '
Ignoring '^shutdown '
Ignoring '^cc '
Ignoring '^mc '
Ignoring '^fcr '
Looking for 'ftp'
The following entries indicate illicit file transfer attemepts.
root ftp unix Sun Jun 18 20:04 - 20:59 (1+00:54)
root ftp unix Sun Jun 18 20:01 - 20:03 (00:01)
root ftp unix Sun Jun 18 19:58 - 19:59 (00:00)
root ftp unix Sun Jun 18 19:54 - 19:55 (00:00)
caje20 ftp wpi.WPI.EDU Sun Feb 19 17:59 - 18:00 (00:00)
llnl ftp tamiya.llnl.gov Wed Feb 15 12:03 - 12:11 (00:08)
llnl ftp tamiya.llnl.gov Thu Feb 9 17:04 - 17:13 (00:08)
frank ftp mls.SAIC.COM Mon Feb 6 15:46 - 15:48 (00:02)
frank ftp 139.121.22.183 Wed Jan 25 10:30 - 10:32 (00:01)
bob ftp cowfish.MorningS Fri Jan 6 17:13 - 17:30 (00:16)
bob ftp cowfish.MorningS Fri Jan 6 09:36 - crash (00:31)
freedman ftp unix2.netaxs.com Sun Dec 4 08:12 - 08:28 (00:16)
freedman ftp unix2.netaxs.com Sun Dec 4 08:11 - 08:11 (00:00)
freedman ftp netaxs.com Mon Nov 14 12:33 - 12:38 (00:04)
freedman ftp 198.69.186.35 Mon Oct 31 11:35 - 11:36 (00:00)
freedman ftp netaxs.com Fri Oct 28 14:34 - 14:34 (00:00)
freedman ftp netaxs.com Thu Oct 13 19:06 - 19:15 (00:08)
freedman ftp netaxs.com Thu Oct 13 18:44 - 19:02 (00:18)
freedman ftp netaxs.com Thu Oct 13 18:35 - 18:43 (00:07)
freedman ftp netaxs.com Thu Oct 13 18:27 - 18:35 (00:08)
freedman ftp netaxs.com Thu Oct 13 09:01 - 09:37 (00:36)
freedman ftp netaxs.com Tue Oct 11 09:41 - 09:41 (00:00)
freedman ftp netaxs.com Thu Sep 29 08:48 - 08:48 (00:00)
freedman ftp netaxs.com Wed Sep 21 13:19 - 13:21 (00:01)
freedman ftp netaxs.com Tue Sep 20 12:40 - crash (00:05)
Looking for 'caje'
The following entries are from a known ex-user.
caje20 ttyp1 wpi.WPI.EDU Fri Jul 14 10:42 - 10:45 (00:02)
caje20 ttyp1 wpi.WPI.EDU Fri Jul 14 00:26 - 00:27 (00:01)
caje20 ttyp2 wpi.WPI.EDU Thu Jul 13 12:27 - 12:29 (00:02)
caje20 ttyp1 wpi.WPI.EDU Wed Jul 12 23:56 - 23:57 (00:01)
caje20 ttyp1 wpi.WPI.EDU Wed Jul 12 23:53 - 23:56 (00:02)
caje20 ttyp1 wpi.WPI.EDU Wed Jul 12 23:45 - 23:53 (00:08)
caje20 ttyp1 wpi.WPI.EDU Mon Jun 19 22:53 - 22:54 (00:00)
caje20 ttyp0 wpi.WPI.EDU Wed May 31 16:27 - 16:27 (00:00)
caje20 ttyp1 wpi.WPI.EDU Fri May 19 00:15 - 00:17 (00:01)
caje20 ttyp1 wpi.WPI.EDU Thu May 4 13:45 - 13:46 (00:01)
caje20 ttyp1 wpi.WPI.EDU Mon Apr 17 19:04 - 19:05 (00:00)
caje20 ttyp1 wpi.WPI.EDU Tue Apr 11 14:34 - 14:35 (00:01)
caje20 ttyc Wed Mar 29 11:51 - 11:53 (00:02)
caje20 ttyp0 bigwpi.WPI.EDU Tue Mar 7 23:33 - 23:35 (00:02)
caje20 ttyp0 wpi.WPI.EDU Tue Feb 28 17:53 - 17:54 (00:01)
caje20 ttyp1 wpi.WPI.EDU Sun Feb 19 17:51 - 17:59 (00:07)
caje20 ttyp0 wpi.WPI.EDU Fri Feb 17 20:08 - 20:09 (00:01)
caje20 ttyp0 wpi.WPI.EDU Fri Feb 17 20:04 - 20:04 (00:00)
caje20 ttyp0 wpi.WPI.EDU Fri Feb 17 19:56 - 19:56 (00:00)
caje20 ttyp0 wpi.WPI.EDU Thu Feb 16 21:32 - 21:40 (00:07)
caje20 ttyp0 wpi.WPI.EDU Wed Feb 15 08:05 - 08:05 (00:00)
caje20 ttyp0 edwards.WPI.EDU Tue Feb 14 11:29 - 11:31 (00:01)
caje20 ttyp0 wpi.WPI.EDU Fri Feb 10 23:49 - 23:58 (00:09)
caje20 ttyp0 wpi.WPI.EDU Fri Feb 10 23:44 - 23:46 (00:01)
caje20 ttyc Thu Feb 9 12:50 - 13:00 (00:09)
caje20 ttyp0 wpi.WPI.EDU Wed Feb 8 22:55 - 22:56 (00:01)
caje20 ttyp0 wpi.WPI.EDU Sun Feb 5 15:16 - 15:18 (00:01)
caje20 ttyp0 wpi.WPI.EDU Sat Feb 4 23:31 - 23:32 (00:00)
caje20 ttyp0 wpi.WPI.EDU Sat Feb 4 18:39 - 18:41 (00:01)
caje20 ttyp0 wpi.WPI.EDU Fri Feb 3 22:33 - 22:36 (00:02)
caje20 ttyp0 wpi.WPI.EDU Fri Feb 3 22:12 - 22:17 (00:04)
caje20 ttyp0 wpi.WPI.EDU Fri Feb 3 22:07 - crash (00:02)
caje20 ttyp0 wpi.WPI.EDU Fri Feb 3 20:26 - 20:27 (00:01)
caje20 ttyp0 wpi.WPI.EDU Fri Feb 3 18:08 - 18:08 (00:00)
caje20 ttyp0 wpi.WPI.EDU Fri Feb 3 17:06 - 17:10 (00:03)
caje20 ttyp0 Fri Feb 3 09:17 - 09:18 (00:01)
caje20 ttyp0 wpi.WPI.EDU Fri Feb 3 09:14 - 09:17 (00:03)
caje20 ttyp0 wpi.WPI.EDU Thu Feb 2 22:30 - 22:32 (00:02)
caje20 ttyp0 wpi.WPI.EDU Thu Feb 2 19:04 - 19:05 (00:00)
caje20 ttyp0 wpi.WPI.EDU Thu Feb 2 18:06 - 18:09 (00:02)
caje20 ttyp0 Thu Feb 2 16:30 - 16:33 (00:02)
caje20 ttyp0 wpi.WPI.EDU Thu Feb 2 16:27 - 16:30 (00:03)
caje20 ttyp0 garden.WPI.EDU Thu Feb 2 15:25 - 15:49 (00:24)
caje20 ttyp0 garden.WPI.EDU Thu Feb 2 15:20 - 15:23 (00:02)
caje20 ttyp0 garden.WPI.EDU Thu Feb 2 15:11 - 15:20 (00:08)
caje20 ttyp0 garden.WPI.EDU Thu Feb 2 15:06 - 15:10 (00:04)
caje20 ttyp0 garden.WPI.EDU Thu Feb 2 15:04 - 15:05 (00:01)
caje20 ttyp0 wpi.WPI.EDU Thu Feb 2 14:09 - 14:11 (00:02)
caje20 ttyp0 gordon.WPI.EDU Thu Feb 2 11:39 - 11:43 (00:03)
caje20 ttyp0 wpi.WPI.EDU Thu Feb 2 09:58 - 09:59 (00:01)
caje20 ttyp0 wpi.WPI.EDU Wed Feb 1 20:38 - 20:39 (00:01)
caje20 ttyp0 wpi.WPI.EDU Wed Feb 1 17:05 - 17:06 (00:00)
caje20 ttyp0 wpi.WPI.EDU Wed Feb 1 10:04 - 10:05 (00:01)
caje20 ttyp0 wpi.WPI.EDU Wed Feb 1 10:03 - 10:03 (00:00)
caje20 ttyp0 wpi.WPI.EDU Tue Jan 31 21:50 - 21:51 (00:00)
caje20 ttyp0 wpi.WPI.EDU Tue Jan 31 20:11 - 20:15 (00:04)
caje20 ttyp0 wpi.WPI.EDU Tue Jan 31 20:10 - 20:11 (00:00)
caje20 ttyp0 wpi.WPI.EDU Tue Jan 31 18:33 - 18:41 (00:07)
caje20 ttyp0 wpi.WPI.EDU Tue Jan 31 17:35 - 17:45 (00:10)
Looking for '.'
The following entries are for informational purposes only.
sc ttyp6 all.net Tue Jan 23 11:20 - 11:22 (00:02)
maillist ttyp1 unix Fri Jan 5 16:31 - 16:33 (00:02)
root console Sun Jun 18 07:59 - down (00:01)
root console Sun Jun 18 03:55 - crash (00:08)
root ttyp1 unix Mon May 22 14:26 - 16:28 (02:02)
root ttyp1 unix Mon May 22 13:22 - 13:22 (00:00)
root ttyp1 unix Mon May 22 13:20 - 13:21 (00:00)
bb ttyp1 hea.ultranet.com Sat May 20 11:45 - 11:46 (00:00)
bb ttyp1 hea.ultranet.com Thu Apr 27 18:31 - 18:32 (00:00)
bb ttyp1 hea.ultranet.com Fri Apr 21 09:15 - 09:23 (00:07)
bb ttyp1 hea.ultranet.com Tue Apr 11 01:47 - 01:51 (00:03)
bb ttyp1 hea.ultranet.com Tue Apr 4 21:07 - 21:16 (00:09)
bb ttyp0 hea.ultranet.com Mon Mar 13 18:32 - 18:38 (00:05)
Swilner ttyc Wed Mar 8 23:56 - 00:00 (00:04)
Smchugh ttyc Tue Mar 7 14:15 - 15:35 (01:20)
Smchugh ttyc Tue Mar 7 12:12 - 12:38 (00:26)
Smchugh ttyc Tue Mar 7 12:05 - 12:10 (00:05)
Smchugh ttyc Tue Mar 7 11:56 - 12:03 (00:06)
Swilner ttyc Mon Mar 6 23:29 - 23:30 (00:01)
Swilner ttyc Fri Mar 3 23:27 - 23:29 (00:01)
Sbb ttyc Wed Mar 1 12:30 - 12:34 (00:04)
bb ttyc Wed Mar 1 12:21 - 12:28 (00:07)
bb ttyc Wed Mar 1 12:18 - 12:20 (00:02)
bb ttyc Wed Mar 1 11:20 - 11:33 (00:13)
Sbb ttyc Wed Mar 1 11:03 - 11:19 (00:15)
Swilner ttyc Tue Feb 28 22:28 - 22:30 (00:01)
Swilner ttyc Mon Feb 27 21:34 - 21:41 (00:06)
Swilner ttyc Mon Feb 27 21:30 - 21:33 (00:03)
Swilner ttyc Thu Feb 23 23:55 - 00:00 (00:04)
Swilner ttyc Thu Feb 23 22:26 - 22:35 (00:09)
Swilner ttyc Thu Feb 23 21:03 - 21:09 (00:06)
tmp ttyp0 all.net Thu Feb 23 17:32 - 17:32 (00:00)
tmp ttyp0 all.net Thu Feb 23 17:31 - 17:32 (00:00)
tmp ttyp0 all.net Thu Feb 23 17:18 - 17:18 (00:00)
berger ttyc Wed Feb 22 14:08 - 14:20 (00:12)
bb ttyc Sun Feb 19 09:05 - 09:07 (00:02)
Sbb ttyc Sun Feb 19 08:55 - 09:04 (00:08)
bb ttyc Sun Feb 19 08:43 - 08:54 (00:10)
Shudsono ttyc Sat Feb 18 22:36 - 00:07 (01:30)
Shudsono ttyc Sat Feb 18 16:40 - 16:53 (00:12)
Sbb ttyc Thu Feb 16 15:00 - 15:08 (00:08)
bb ttyc Thu Feb 16 10:43 - 10:44 (00:00)
Shudsono ttyc Wed Feb 15 15:26 - 16:56 (01:30)
Shudsono ttyc Wed Feb 15 08:54 - 14:31 (05:36)
Rfc console Sun Feb 12 17:53 - 19:11 (01:18)
bb ttyc Fri Feb 10 20:21 - 20:23 (00:02)
Shudsono ttyc Wed Feb 8 09:18 - 13:00 (03:42)
Shudsono ttyc Wed Feb 8 09:11 - 09:14 (00:03)
bb ttyc Tue Feb 7 20:23 - 20:32 (00:09)
Sssds ttyp0 Thu Feb 2 16:33 - 16:33 (00:00)
Sssds ttyp0 wpi.WPI.EDU Fri Jan 27 18:37 - 18:37 (00:00)
Sssds ttyp0 wpi.WPI.EDU Mon Jan 23 22:37 - 22:37 (00:00)
Sssds ttyp0 wpi.WPI.EDU Mon Jan 23 22:37 - 22:37 (00:00)
guest ttyp0 192.204.21.111 Sun Jan 22 14:38 - 14:40 (00:02)
Sbob ttyp1 cowfish.MorningS Fri Jan 6 17:02 - 17:02 (00:00)
Sbob ttyp1 cowfish.MorningS Fri Jan 6 17:00 - 17:00 (00:00)
bob ttyp0 cowfish.MorningS Fri Jan 6 16:50 - 17:25 (00:35)
bob ttyp0 cowfish.MorningS Fri Jan 6 09:30 - 10:06 (00:36)
root console Tue Jan 3 16:29 - 16:29 (00:00)
wtmp begins Tue Jan 3 16:29
Size reduction = 110282 / 265283 = 41.5714538813267%
Done checking /usr/ucb/last
Checking /u/www/log
Ignoring ' cat '
Ignoring "Error:Can.t stat file"
Ignoring 'Error:Unknown request - $'
Ignoring 'Error:Unknown request - HEAD'
Ignoring "Error:Can.t stat file -"
Ignoring "Error:Can.t fetch directories -"
Looking for 'Error:'
The following entries (if any) indicate errors produced
by attempts to use the Web server. Further examination is necessary to determine
whether or not these are indicative of intentional abuse.
origin.admdis.ndhq.dnd.ca unknown 1996/01/08 15:50:01 4993 4991 Error:Access Denied - GET /books/iw/iwframe/iw2.gif
origin.admdis.ndhq.dnd.ca unknown 1996/01/08 15:50:01 4994 4992 Error:Access Denied - GET /books/iw/iwframe/iw4.gif
origin.admdis.ndhq.dnd.ca unknown 1996/01/08 15:50:12 5011 5003 Error:Access Denied - GET /books/iw/iwframe/iw3.gif
origin.admdis.ndhq.dnd.ca unknown 1996/01/08 15:50:20 5015 5014 Error:Access Denied - GET /books/iw/iwframe/iw1.gif
139.121.134.20 unknown 1996/01/09 16:52:52 26128 26108 Error:Unknown request - QUIT
unix unknown 1996/01/13 14:50:14 5932 5930 Error:Access Denied - GET /journal/csi/csi-96-01.html
all.net fc 1996/01/24 17:09:18 12891 12889 Error:Access Denied - GET /iwar.html
sundial.sundial.net caniglia 1996/01/25 12:43:28 15922 15918 Error:Unknown request - G
unix unknown 1996/01/31 08:21:48 6649 6648 Error:Access Denied - GET /books/ir/csl02-92.html
unix unknown 1996/01/31 08:34:02 7193 7192 Error:Access Denied - GET /books/ir/ietf/ietf.html
unix unknown 1996/02/01 10:12:43 16434 16433 Error:Access Denied - GET /journal/letters/nntp.html
unix unknown 1996/02/21 11:44:02 15523 15522 Error:Access Denied - GET /books/policy/sachs.policy
unix unknown 1996/02/21 11:44:10 15541 15536 Error:Access Denied - GET /books/policy/sachs.policy
mach1.gs.com unknown 1996/02/21 11:58:44 16452 16451 Error:Access Denied - GET /books/policy/sachs.policy
iddmz3.iddis.com unknown 1996/02/21 14:37:25 26271 26267 Error:Access Denied - GET /books/policy/sachs.policy
iddmz3.iddis.com unknown 1996/02/21 14:40:24 26460 26457 Error:Access Denied - GET /books/policy/sachs.policy
Cust36.Max5.Chicago.IL.MS.UU.NET unknown 1996/02/21 23:26:51 29449 29448 Error:Access Denied - GET /books/policy/sachs.policy
tricomfg.com unknown 1996/02/22 13:50:30 20934 20929 Error:Access Denied - GET /books/policy/sachs.policy
deadparrot.execpc.com unknown 1996/02/23 07:37:49 21294 21288 Error:Access Denied - GET /books/policy/sachs.policy
unix unknown 1996/02/25 17:43:29 4855 4854 Error:Access Denied - GET /zz.html
ntcs-ip62.uchicago.edu unknown 1996/02/25 18:42:52 7994 7993 Error:Access Denied - GET /books/policy/sachs.policy
dd72-181.compuserve.com unknown 1996/02/25 21:41:13 17285 17283 Error:Access Denied - GET /books/policy/sachs.policy
nntp1.reach.com unknown 1996/02/26 12:44:56 8469 8462 Error:Access Denied - GET /books/policy/sachs.policy
hastur.execpc.com unknown 1996/02/27 09:44:04 7013 7012 Error:Access Denied - GET /books/policy/sachs.policy
hastur.execpc.com unknown 1996/02/27 09:44:33 7077 7076 Error:Access Denied - GET /books/policy/sachs.policy
hastur.execpc.com unknown 1996/02/27 09:46:01 7244 7235 Error:Access Denied - GET /books/policy/sachs.policy
wisdlx7.badgerdial.net unknown 1996/03/04 09:29:11 5555 5549 Error:Access Denied - GET /books/policy/sachs.policy
205.213.4.3 unknown 1996/03/04 09:34:13 5840 5839 Error:Access Denied - GET /books/policy/sachs.policy
meb406a-1.anesth.mcw.edu unknown 1996/03/04 16:39:22 544 540 Error:Access Denied - GET /books/policy/sachs.policy
199.196.74.214 unknown 1996/03/05 08:57:32 22958 22949 Error:Access Denied - GET /books/policy/sachs.policy
199.196.74.214 unknown 1996/03/05 09:02:19 23248 23243 Error:Access Denied - GET /books/policy/sachs.policy
dd75-063.compuserve.com unknown 1996/03/05 13:03:13 7199 7198 Error:Access Denied - GET /books/policy/sachs.policy
dd75-063.compuserve.com unknown 1996/03/05 13:03:35 7219 7218 Error:Access Denied - GET /books/policy/sachs.policy
dd75-063.compuserve.com unknown 1996/03/05 13:04:12 7250 7249 Error:Access Denied - GET /books/policy/sachs.policy
dd75-063.compuserve.com unknown 1996/03/05 13:04:29 7265 7264 Error:Access Denied - GET /books/policy/sachs.policy
dd75-063.compuserve.com unknown 1996/03/05 13:05:20 7304 7303 Error:Access Denied - GET /books/policy/sachs.policy
dd75-063.compuserve.com unknown 1996/03/05 13:26:51 8392 8391 Error:Access Denied - GET /books/policy/sachs.policy
ether97-41.waukesha.tec.wi.us unknown 1996/03/06 17:35:07 10802 10796 Error:Access Denied - GET /books/policy/sachs.policy
piweba6y-ext.prodigy.com unknown 1996/03/08 17:14:11 20891 20887 Error:Access Denied - GET /books/policy/sachs.policy
piweba6y-ext.prodigy.com unknown 1996/03/08 17:14:37 20909 20908 Error:Access Denied - GET /books/policy/sachs.policy/
F180-052.net.wisc.edu unknown 1996/03/08 17:34:53 21673 21672 Error:Access Denied - GET /books/policy/sachs.policy
Size reduction = 4424 / 3827479 = 0.115585219409434%
Done checking /u/www/log
<<=== End:Done checking audit file contents.
====================================================
Tracer done - Thu Mar 7 12:13:39 EST 1996
====================================================