Craig Warren of Deakin University had written to Huston, AARNET technical manager, about hacker attacks on university systems. Huston had forwarded a copy of the letter to Peter Elford, who assisted Huston in managing AARNET. The hackers broke into Huston's system and also read the letter:
From G.Huston@aarnet.edu.au Mon Sep 23 09:40:43 1991
Received: from [150.203.6.67] by jatz.aarnet.edu.au with SMTP id
AA00265 (5.65+/IDA-1.3.5 for pte900); Mon, 23 Sep 91 09:40:39 +1000
Date: Mon, 23 Sep 91 09:40:39 +1000
Message-Id: <9109222340.AA00265@jatz.aarnet.edu.au>
To: pte900@aarnet.edu.au
From: G.Huston@aarnet.edu.au
Subject: Re: Visitors log Thursday Night—Friday Morning
Status: RO
Date: Sun, 22 Sep 91 19:29:13 +1000
From: Craig Warren <C.Warren@deakin.OZ.AU>
Just to give you a little bit of an idea about what has been
happening since we last spoke…
We have communicated with Sgt Ken Day of the Federal Police about 100
times in the last week. Together with our counterparts from
Warrnambool traces have been arranged on dial-in lines and on Austpac
lines for the capella.cc.deakin.OZ.AU terminal server which was left
open to the world.
On Friday afternoon we were able to trace a call back to a person in
the Warrnambool telephone district. The police have this persons name.
We believe others are involved, as we have seen up to 3 people active
at any one time. It is `suspected' students from RMIT and perhaps
students from Deakin are also involved.
When I left on Friday night, there was plenty of activity still and
the police and Telecom were tracking down another number.
Tomorrow morning I will talk to all parties involved, but it is
likely we will have the names of at least 2 or 3 people that are
involved. We will probably shut down access of `cappella' to AARNet at
this stage, and let the police go about their business of prosecuting
these people.
You will be `pleased' (:-)) to know you have not been the only ones
under attack. I know of at least 2 other sites in Victoria that have
had people attacking them. One of them was Telecom which helped get
Telecom involved!
I will brief you all in the next day or so as to what has happened.
Regards, Craig
The `other' people were, of course, the IS hackers. There is nothing like reading about your own hacking antics in some one's security mail.
Mendax and Prime Suspect frequently visited ANU's computers to read the security mail there. However, universities were usually nothing special, just jumping-off points and, occasionally, good sources of information on how close the AFP were to closing in on the IS hackers.
Far more interesting to Mendax were his initial forays into Telecom's exchanges. Using a modem number Prime Suspect had found, he dialled into what he suspected was Telecom's Lonsdale Exchange in downtown Melbourne. When his modem connected to another one, all he saw was a blank screen. He tried a few basic commands which might give him help to understand the system:
Login. List. Attach.
The exchange's computer remained silent.
Mendax ran a program he had written to fire off every recognised keyboard character—256 of them—at another machine. Nothing again. He then tried the break signal—the Amiga key and the character B pressed simultaneously. That got an answer of sorts.
:
He pulled up another of his hacking tools, a program which dumped 200 common commands to the other machine. Nothing. Finally, he tried typing `logout'. That gave him an answer:
error, not logged on
Ah, thought Mendax. The command is `logon' not `login'.
:logon
The Telecom exchange answered: `username:' Now all Mendax had to do was figure out a username and password.
He knew that Telecom used NorTel equipment. More than likely, NorTel staff were training Telecom workers and would need access themselves. If there were lots of NorTel employees working on many different phone switches, it would be difficult to pass on secure passwords to staff all the time. NorTel and Telecom people would probably pick something easy and universal. What password best fitted that description?
username: nortel
password: nortel
It worked.
Unfortunately, Mendax didn't know which commands to use once he got into the machine, and there was no on-line documentation to provide help. The telephone switch had its own language, unlike anything he had ever encountered before.
After hours of painstaking research, Mendax constructed a list of commands which would work on the exchange's computer. The exchange appeared to control all the special six-digit phone numbers beginning with 13, such as those used for airline reservations or some pizza delivery services. It was Telecom's `Intelligent Network' which did many specific tasks, including routing calls to the nearest possible branch of the organisation being called. Mendax looked through the list of commands, found `RANGE', and recognised it as a command which would allow someone to select all the phone numbers in a certain range. He selected a thousand numbers, all with the prefix 634, which he believed to be in Telecom's Queen Street offices.
Now, to test a command. Mendax wanted something innocuous, which wouldn't screw up the 1000 lines permanently. It was almost 7 a.m. and he needed to wrap things up before Telecom employees began coming into work.
`RING' seemed harmless enough. It might ring one of the numbers in the range after another—a process he could stop. He typed the command in. Nothing happened. Then a few full stops began to slowly spread across his screen: