Bugtraq mailing list archives
Re: BARRnet breakin
From: laz () gnu ai mit edu (laz () gnu ai mit edu)
Date: Mon, 22 Nov 1993 11:28:30 -0500 (EST)
All, The following is an excerpt of a letter from Vince Fuller of BARRNET.
As some of you are no doubt aware by now, we experienced a major security "incident" last week where a cracker successfully broke-in to the BARRNet server system NIC1.BARRNET.NET. After break-in, the cracker managed to install a tcpdump-like program which, running in "promiscious mode", was logging all TCP sessions which happened to cross the BARRNet subnet where NIC1.BARRNET.NET is located. Unfortunately, this subnet is also home to the BARRNet low-speed hub router, SU-PM1.BARRNET.NET, which is where all BARRNet low-speed (14.4KB) leased line and dialup sites are connected. This means that usernames and passwords for both BARRNet low-speed sites *and* any place that users at those sites may have connected may have been compromised. Fortunately, we were able to find the logfile (600KB and over 20,000 lines!) created by the password logger and have informed the system administrators for every account which it shows compromised. It is important to note that even though we were able to obtain the logfile, we have no way of knowing whether the cracker successfully retrieved the log or whether it represents a full list of the accounts which have potentially been compromised. Because of this, we are recommending that all sites take a good look at their systems, particular Sun systems, as the cracker seems to favor them, and check for any anomalies, such as incorrect checksums on system binaries - /bin/login is a favorite - or the presence of any files which should not be on the system - the TCP session logger, in particular, wrote its data to /tmp/.X11-unix/.xinitrc. Suspicious activity should be reported to the Computer Emergency Response Team at "cert () cert org". Note that we have reported all of the information we have to the CERT and have filed a police report in the event that the cracker is caught and prosecuted. In an effort to prevent future attacks and to eliminate the possibility of potentially compromised systems at BARRNet from being used for further attacks, we have completely re-installed the operating system on our three servers, NIC1.BARRNET.NET, NIC2.BARRNET.NET, and NOC.BARRNET.NET and have installed a number of improved security measures which should prevent the sort of session- logging attack which was performed on NIC1. We have also frozen all user accounts on our mail server system, MAIL.BARRNET.NET, and on the news server system, NIC2.BARRNET.NET, and will unfreeze each account only after we have spoken with the account owner and assigning a new password which meets improved security guidelines. Unfortunately, during our efforts to clean up after this incident, there may have been periods of time where mail and other services were disrupted - we'd like to apologize for any inconvenience that any such disruption may have caused, but given the serious circumstances, hope that you will understand the drastic steps that we had to take. Also, if you sent mail to any of the BARRNet service lists which was returned as undeliverable, please re-send it as we believe that all services should now be back to normal. As always, if you have questions or comments about this incident or about any other aspect of BARRNet services, please feel free to contact us either by email to NOC () BARRNET NET or on the BARRNet hotline at (415) 723-7360. Vince Fuller, BARRNet technical director
laz
Current thread:
- BARRnet breakin David Burns (Nov 20)
- <Possible follow-ups>
- Re: BARRnet breakin Sid Stuart (Nov 21)
- Re: BARRnet breakin Christopher Klaus (Nov 21)
- packet logs Mark (Nov 22)
- Re: packet logs Christopher Klaus (Nov 22)
- Re: BARRnet breakin laz () gnu ai mit edu (Nov 22)