Catching the AT&T Hacker

The bulk of my career wasn’t directly related to security. I’ve been a software developer, database administrator, and Linux administrator. But security fits into these roles. Everyone participate in the security process. I8My “adventures” began the first day I was introduced to AT&T UNIX, SYSTEM V. It’s an old UNIX platform from before Linux. But much of the stuff is relatable to modern systems. I was a C programmer and was developing a program in C on this UNIX system. I didn’t know much about the OS itself when we got attacked by a hacker.

My boss asked me to figure out why this server kept crashing. After some investigation, we determined that the old system admin had installed some back-doors before he left the company. I assume he did it so he would have access if something ever went wrong, but it also let him hack in after he left the company. He was far more talented than me, so I had to learn a lot in order to find all his backdoors and plug them.

In short, he has setup several accounts with SUID shells setup in them so he could login and do what he wanted. He was only logging and shutting down services or shutting down the system. He was being annoying rather than causing real damage. It wasn’t too complicated in the end, but since I was new to UNIX it took a bit to sort it all out. In the end, we got all the accounts cleaned up, all the passwords changed, and so on. We didn’t have a firewall in those days. We had to rely on basic UNIX permissions to secure it. Naturally we added more layers of security once we got him locked out.

This type of hack was so common in those days that ended up writing scripts that would search for that particular vulnerability on a daily basis. Then send that report to me. I expanded that script to monitor for many other possible issues and it became a standard daily script on all our servers to scan for a variety of security vulnerabilities. It was a poor-mans anti-hacker script that later caught another hacker. More on that in another article though. This script turned out to be the beginning of my career of doing server security audits for my company.