I've been away a while; are we talking about Logica again? You may be thinking of inet.conf, an OMVS file that I'm-not-an-OMVS-expert-but I'm sure is supposed to be write-protected against non-admins. From a report:
/* Quote begins: */ One back door they installed once they were in is a program of their own design that initiated contact with an internet server designated by the hackers, using port 443. This routine port helped deflect attention, but even more important is that the mainframe program was acting as a client; since the traffic was outgoing, initiated by SY19, many of the firewall measures against hacking would ignore it. The hackers would contact the outside server at their convenience and communicate with the mainframe. They also updated inet.conf, a Unix configuration file that must surely be write-protected against unauthorized changes. It’s supplied by IBM, and a line added to it can define a service, granting SUPERUSER status to (in this case) an incoming port-443 stream.... There was also a description of a process by which an ordinary ID could gain be switched to UID(0) GID(0), gaining root access. My copy of the Logica report says “The actual content of ‘go.rx’ script can be seen in Figure 91 on page 156....The script takes two arguments, first the numerical UID to switch to, then the numerical group ID for the group under which the new command interpreter should be launched. If successful executed, this program would switch the user to a new user, without logging out and in, thus effectively getting the new user’s system-access permissions without having been prompted for a password.” But the REXX code is redacted from my copy.... /* Quote ends */ The ID they stole initially, I gather, did have read access to the RACF database, never a good idea; that's how they were able to get so many passwords afterward, by downloaded it and applying John-the-Ripper to it at leisure. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Every movie has maybe one or two or three compelling reasons why it should be made. One is that this is a beloved book and people are going to want to see an adaptation. But you had better figure out the other two, because at the end of the day, this is a motion picture. -Ron Howard */ -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Tom Brennan Sent: Sunday, January 30, 2022 18:18 Thanks, so the ASM program from the blog was never used, but the main problems were: 1) Some way to get UID=0 access (I think Soldier of Fortan mentioned this years ago, which I hope has been fixed). 2) RACF DB that was not read protected (not the brightest) --- On 1/30/2022 12:09 PM, Itschak Mugzach wrote: > Ho Tom, > > Once they got root, they were able to unload racf DB that was not well > protected and run an (open source) password cracker. They had time to > get many user passwords. No user SVC was involved, not needed. I don't > know where David collects his information, but the breach is well > documented in many reports. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
