Fri, 22 Jul 88 09:51:06 PDT
I have a question, and an appeal for developers of VMS TCP/IP products if
no answer is possible.
Is there a product, or a way under VMS to get the source address of a TCP/IP
connection entered into the accounting files?
As many of you probably read in the papers, we were hit by a hacker about a
month ago. This penetration was accomplished over the Internet. Unlike our
SPAN connection which is DECnet, we have no way of "tracing" a connection once
it is broken, because the TCP/IP product we are running is not part of VMS, and
therefore does not communicate with VMS' accounting package.
Under DECnet, after an interactive user logs out, I have a record showing
the remote node and remote userid associated with the connection. Under
TCP/IP, unless I am diligent and run NETSTAT, I have no way of tracing the
connection. All accounting shows is a login on terminal NTY1 or XXA1, but
no information about the IP address of the source node.
It seems to me that with a little cooperation between DEC and the vendors, that
a simple addition to LOGINOUT.EXE and/or the TELNET server would cause this
information to be recorded, provided accounting was enabled. The benefits of
having this information should be self evident.
Anybody have any constructive ideas on this subject?
Jet Propulsion Laboratory
This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:42:51 GMT