From:	CSBVAX::MRGATE!@SRI.Com,@wiscvm.wisc.edu:OMOND@EMBL.BITNET@SMTP  2-AUG-1987 14:04
To:	EVERHART
Subj:	*** Important message ***

Received: from wiscvm.wisc.edu by KL.SRI.COM with TCP; Fri 31 Jul 87 09:01:47-PDT
Received: from EMBL.BITNET by wiscvm.wisc.edu ; Fri, 31 Jul 87 11:01:30 CDT
Date:           Fri, 31 Jul 87 17:56:39 n
To:             Info-Vax@SRI-KL.ARPA
From:           Roy Omond <OMOND%EMBL.BITNET@wiscvm.wisc.edu>
Organisation:   European Molecular Biology Laboratory
Postal-address: Meyerhofstrasse 1, 6900 Heidelberg, W. Germany
Phone:          (6221)387-0 [switchboard]  (6221)387-248 [direct]
Subject:        *** Important message ***


Fellow System Managers,

take heed of the following saga.

Well, the well known patch to SECURESHR.EXE took a *long* time in coming
to Europe.  In fact, it took me several days to convince the local DEC
people that there was a security loophole in VMS 4.5 ... *sigh*.
Anyway, in the meantime, we got screwed around by German hackers
(probably from the notorious Chaos Computer Club in Hamburg).  Before I
had the chance to install the patch, "they" managed to get in and did
pretty well at covering their tracks.  They patched two images, SHOW.EXE
and LOGINOUT.EXE, so that a) they could login to *any* account with a certain
password, which I'll not divulge, b) SYS$GW_IJOBCNT was decremented and
c) that process would not show up in SHOW USERS.  They have cost us a lot of
real money by using our X.25 connection to login to several places all round
the globe.  I have done my best to notify per PSImail those VAX sites that
were accessed from our hacked system.  I pray (and pray and pray ...) that
no other damage has been done, and that I'm not sitting on a time bomb.
Anyway, the following information might help others to check if they have
been tampered with:

Use CHECKSUM to perform a checksum of LOGINOUT.EXE and SHOW.EXE as follows:

        $ Check Sys$System:Loginout.Exe
        $ Show Symbol Checksum$Checksum

        if you get the value 3490940838 then you're in trouble.

        $ Check Sys$System:Show.Exe

        if you get 1598142435, then again you're in trouble.

Now something I'm a bit unsure about whether I should publicise :

Two persons with known connections with the Chaos Computer Club in Hamburg
who I know have distributed the patches mentioned above (and in my opinion
are to be considered along with the lowest dregs of society) I will name
here :

        Claus Traenkner (at our own outstation of the EMBL in Hamburg)
and     Stefan Weirauch (at the Univ. of Karlsruhe)

in the hope that someone somewhere will a) be saved some hassle from them
and b) might perform physical violence on them.

Jeez, I'm scared ...

Roy Omond
System Manager etc.
European Molecular Biology Laboratory,
Heidelberg, West Germany.