Security Incidents mailing list archives
Compromised boxes on cwru.edu -- resolved
From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Fri, 18 Aug 2000 15:33:51 -0400
Good afternoon, everyone, This is an informational memo to the INCIDENTS list at SecurityFocus, CERT (US), the UNISOG list (from SANS) and the GIAC (also from SANS). Recently, the domain cwru.edu suffered some network difficulties which, when investigated, turned out to be caused by several compomised machines scanning external hosts, which flooded the tables of the gateway device, causing it to fail. This is an informational note to state that the compromised machines have been found and the situation is being resolved. The affected machines were in the 129.22.89/24 network, corresponding to *.gene.cwru.edu, part of cwru.edu (129.22/16). Unauthorized access was gained via the ProFTPd exploit running around in the wild. The machines in question, approximately 16 machines, comprise a batch processing system currently being set up for data analysis. The intruder began scanning off site hosts and spoofing all addresses in the 129.22.89/24 range, which caused significant network troubles for the unaffected machines. Access was gained at the end of July, 2000, and hostile activities happened for approximately 2 weeks. The machines are currently offline and being reinstalled and hardened. A topology change is being implemented for the cluster and much stronger security measures taken to ensure this doesn't happen again. If you have seen hostile or scanning traffic from this network range (129.22.89/24), this is the most likely explaination for it. If you continue to see hostile activity from this range or any of the CWRU network (129.22/16), please do not hesitate to contact our local domain contact, Mr Jeff Gumpf: Administrative Contact, Technical Contact, Zone Contact: Gumpf, Jeffrey A (JAG3) Gumpf () INS CWRU EDU Case Western Reserve University Campus Communications Network - Network Services Crawford Hall, Room 426 Attn: Jeff Gumpf Cleveland, OH 44106 (216) 368-2982 Once again, the issue should be resolved now, and this note serves to explain activity some of you may have seen. Thanks for your understanding, jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- Compromised boxes on cwru.edu -- resolved Jose Nazario (Aug 18)