Tracing Berferd

Tracing Berferd

Berferd spent a lot of time in our Jail. We spent a lot of time talking to Stephen Hansen, the system administrator at Stanford. Stephen spent a lot of time trying to get a trace. Berferd was attacking us through one of several machines at Stanford. He connected to those machines from a terminal server connected to a terminal server. He connected to the terminal server over a telephone line.

We checked the times he logged in to make a guess about the time zone he might be in. The following figure shows a simple graph we made of his session start times (PST).

                          1         2
         Jan    012345678901234567890123
        s 19                       x
        s 20                       xxxx
        m 21        x x   xxxx
        t 22                  xxxxx  x
        w 23         xx   x xx   x xx
        t 24               x        x
        f 25           x  xxxx
        s 26    
        s 27          xxxx      xx   x
        m 28         x x        x
        t 29         x          xxxx x
        w 30                     x
        t 31    xx
         Feb    012345678901234567890123
        f  1           x         x  x
        s  2                x xx xxx
        s  3           x  x    xxxx x
        m  4                    x

A time graph of Berferd's activity. This is a crude plot made at the time. The tools built during an attack are often hurried and crude.

It seemed to suggest a sleep period on the East Coast of the United States, but programmers are noted for strange hours. This analysis wasn't very useful, but was worth a try.

Stanford's battle with Berferd is an entire story on its own. Berferd was causing mayhem, subverting a number of machines and probing many more. He attacked numerous other hosts around the world from there. Tsutomu Shimomura modified tcpdump to provide a time-stamped recording of each packet. This allowed him to replay real time terminal sessions. They got very good at stopping Berferd's attacks within minutes after he logged into a new machine. In one instance they watched his progress using the ps command. His login name changed to uucp and then bin before the machine ``had disk problems.'' The tapped connections helped in many cases, although they couldn't monitor all the networks at Stanford.

Early in the attack, Wietse Venema of Eindhoven University got in touch with the Stanford folks. He had been tracking hacking activities in the Netherlands for more than a year, and was pretty sure that he knew the identity of the attackers, including Berferd.

Eventually, several calls were traced. They traced back to Washington, Portugal, and finally to the Netherlands. The Dutch phone company refused to continue the trace to the caller because hacking was legal and there was no treaty in place. (A treaty requires action by the Executive branch and approval by the U.S. Senate, which was a bit further than we wanted to take this.)

Berferd used Stanford as a base for many months. There are tens of megabytes of logs of his activities. He had remarkable persistence at a very boring job of poking computers. Once he got an account on a machine, there was little hope for the system administrator. Berferd had a fine list of security holes. He knew obscure sendmail parameters and sendmail non-network security holes and used them well. (Yes, some sendmails have security holes for logged-in users, too. Why is such a large and complex program allowed to run as root?) He had a collection of thoroughly invaded machines, complete with setuid-to-root shell scripts usually stored in /usr/lib/term/.s You do not want to give him an account on your computer.