The Persistent Hacker

As newcomers to the Internet, network security was considered a minor problem in the whole set of services and programs that we enjoyed setting up: the primary name server for Chile, the main news feed (almost full) for the country, the local workstation network design, to mention just a few.

Moreover, even if we heard a lot of stories about the activities of hackers in the Internet, they all seemed far away from our country, surrounded by mountains and the sea at the end of the world. And our computers are mainly used by students and professors in a supposedly secure academic environment. Our confidence was completely misplaced.

In this paper, we describe the activities of a hacker in our hosts during the last few months of 1992 and the beginning of 1993, and the conclusions and experiences he (she, them?) left us with. This was our first serious hacker problem, with an intruder that had only two powerful weapons: time and patience.

We named that hacker "Morgan", because the Chilean coasts were devastated more than two centuries ago by an English pirate of that name when our country was a Spanish colony (nothing personal against England :-)

He entered the campus network from many sites (always hacked sites) and from here to other hosts in many other countries.

During the time he was our uninvited guest, he showed perseverance and regularity in his procedure. Based on that, we can affirm that he used the same method to attack other hosts. We obtained evidence of this from only one other host, located in Europe. In general, system administrators don't like to talk about their security problems.

This paper has two authors, however it is a report of the work of the whole system administration staff of the Department of Computer Science.