CHATTY (emails shade_kolya@topmail.kz, chatty2@topmail.kz, shade101@topmail.kz) was originally spotted using SSH all the time, from FINGER we could see he had the two accounts CHATTY2 and SHADE5. So a quick MULTINET SHOW/CONN revealed this was into a machine owned by the National Institutes of Health. Yes, a U.S. government computer. Since finger showed he was logging in from a .kz address it was highly likely he should not have access there. Both accounts when inspected and found to contain word lists, warez, exploit code, and password crackers. After a discreet inquiry in Notes, the VAX LOGGER and ALPHA_LOGGER examples were compiled and calls to run them added to the two accounts LOGIN.COM. This wasn't hidden particularly well, Nooooo.... If you did finger when one of our victim accounts was logged in you'd see they were running ID10T. The log files were even going into their SYS$LOGIN and we kept having to up quotas to see what they were doing with all these SSH keys they had.

We got lots of entertaining logs, and an email asking if we could install UUENCODE and UUDECODE to facilitate the transport of warez and john the ripper between machines. You'll even see that we did, but this didn't help as the genius couldn't work out that you needed to TYPE the resultant .UUE file. Still the log files kept building up, the guy's quota was up to about 100K blocks before they got moved off his quota.

We were discussing what to do about reporting this to the appropriate people at NIH.gov, when one instance of john the ripper spat out a root password on a machine CHATTY was cracking. This speeded up the process of notifying folks and the two accounts were shut down. Nobody was interested in pursuing what is presumably a pimply maladjusted moron, and we didn't even send email. The Wall of Shame was started after this incident, and it wouldn't be documented if he hadn't come back...

Yup. He came back as CHATTY and got up to his old tricks again. In went the logging calls, and [CHATTY.SSH2.HOSTKEYS] was regularly looked into. Then I (Doc) caught him using an SQL exploit and using SSH on a nonstandard port to gain root access to http://chat.nursat.kz. Don't do that to me on a Saturday morning when I've a sore head. Really, that's better known as Grumpy Sadistic BOFH mode. I put an ACL on MULTINET:SSH2.EXE to block access to anyone with the rights identifier NO_SSH and graciously granted that to CHATTY. [Extra: I found it very entertaining to watch him run canned Linux only exploits on a Solaris box - Beave :]
Then I emailed him.

To:   CHATTY@gein.vistech.net
CC:   ADMIN@OPENVMS-ROCKS.COM
Message-Id: <05060406133988.24601041.484642@gein.vistech.net>
Subject: You have been banned from using SSH

Congratulations, you're being awarded our "Dipshit of the Month" prize.  You
have won the rights identifier NO_SSH which means you will no longer have
access to SSH on the cluster.

Obviously your ability to run brute-force attacks and canned exploits such
as SQL injection are in in no way, shape, or form an indication of your
intelligence.  Otherwise you would have realized that you were caught when
we closed down your CHATTY2 and SHADE5 accounts and notified the U.S.
Government that you'd been "hacking" their machines.  Since then, we've been
monitoring your activities and building a list of machines you have access
to.

Now we've got bored.  We may, or may not, notify the owners of the machines
you've been abusing.  The only reason your account hasn't been completely
disabled is that it might be amusing to watch how you try and get access to
SSH again.  Oh, and don't think we won't notice if you open another account,
you're about as subtle as a fart in a flowershop.

In closing, you ARE the weakest link.

Goodbye.


Doc.