ah I x ALL EHFCIPIHIATIUH a I3 DATE 59 25 2012 ET aa zwrutgbawxaahxaa FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 04 03 1998 To Criminal Investigative Attn Chicago Attn 288 Supervisor San Francisco Attn 288 Supervisor From I I Squad 4 A Contact SAI 136 b7c Approved By I I AK Drafted By I Itjm I Case ID Pending Title SOLAR Synopsis Information is being forwarded to receiving offices regarding captioned matter Details On 4 3 98 SAI I Kansas City Division KCD telephonically contactedl Network and Security Services MNSS 1805 E Walnut Street b6 Columbia Missouri 65201 telephone number I I fax Ibw number 573 884 6673 regarding a fax received from Ion 3 6 98 The fax described an intrusion into a computer at the Central Methodist College cmc2 cmc edu which is a connection from MNSS I Iadvised that someone namedI I I sent an EHmail message to MNSS with a be password file attached The password file was later verified as b7c an old password file from cmc2 cmc edu claimed he received the password file from an east coast hacker who claimed to be involved with the compromises of the Pentagon servers via the Internet The hacker sent the password file to as proof of his hacking ability later learned that Iwas for be the publication AntiOnline web address b7C advised IE chatted withI I using Internet Relay Chat IR an thatI Iwas the one who the password file To Criminal Investigative From Re 288-HQ-1242560 04 03 1998 1 A copy of the aforementioned fax is attached This information is being forwarded to receiving offices for whatever action deemed appropriate 00 9 if The Missouri Research and Education network 1805 East Walnut Street Columbl3 'Mlssourl 65201 573 884-7200 Work Wide Web- E-maiI-lnfoamorenet 1 I UNIU OF 573 884 6673 Page 1 of 2 March 6 1998 T0 COMPANY Federal Bureau of Inves gation Kansas City Field Of ce PHONE mom Missouri Research and Education Network 11 1805 E Walnut St we Columbia MO 65201 PHONE FAX 573 88446673 MESSAGE Following is a summary of the current incident we are working on Feel free to contact me with anything you need further on this I look forward to meeting and working with you Best regards UniverJixy of Misxauri-Cntumbia an equal opportunity inyn'rurion 3 I '0 I 3 MQR-BSH1998 121331 UNIU pF 573 884 6673 Security Services Incident Summary Tuesday 3 Mar 98 approx 2241 CST received a page froml lat ISCA regarding a secarity incident with one of our connections I the Security Coordinator responded to 5 call and learned that he was in possession of a password le reportedly from a computer designated cmeZcmcedu The computer designated is located at Central Methodist College connected via to the Internet The atomic Whols table lists as the technical contact which precipitated call to us reported that he received the le from an east coast hacker who was claiming to be involved with the recent compromises of the Pentagon and other servers via the Internet He was sent the file as veri cation of the hacker's abilities After exchanging PGP keys Iforwarded the via electronic mail from an account forwarded the letol lthe system adminisuator at Central Methodist College who confirmed title was indeed the password le from the cntc2 cmc edu computer as it appeared in late 1996 or early 1997 Related nete we had an incident in November of 1996 wherein the same server was compromised 3133C and the password le was suspected to have been cracked at that time into the system at IP Address that was attempting to install COPS a commonly used UNIX system cracking tool terminated the 115m session and within a few minutes noticed that another userID logged into the system and attempted the same installation I Inmed and re 0 to us that the sessions were connecting via telnet from a system identi ed a IP Address I Itermlnatcd the second sessmn and as of 1630 CST had not had further login attempts from outside of the College s networkapprox 1445 Central Methodist reported that he observed a userID logged At approx 1500 CST reported the incident to CERT suggestion was to send email to the network provider for kaskomru with the incident information CERT requested to be cc d on the email notcl l'rom sent this note at approx 1700 CST recommended to Central Methodist that the server be taken off line have the operating system installed from known media and patched to the current levels before bringing the system back Onlinc further blocked the IP address Eat the site router preventing irther network traf c to and from the system Nething Further I Network and Security Services 5 Mat 98 1730CST W s 4 TOTRL 82