Re: BARRnet breakin

[laz () gnu ai mit edu (laz () gnu ai mit edu)]

All,

The following is an excerpt of a letter from Vince Fuller of BARRNET.

>   As some of you are no doubt aware by now, we experienced a major security
> "incident" last week where a cracker successfully broke-in to the BARRNet
> server system NIC1.BARRNET.NET. After break-in, the cracker managed to install
> a tcpdump-like program which, running in "promiscious mode", was logging all
> TCP sessions which happened to cross the BARRNet subnet where NIC1.BARRNET.NET
> is located. Unfortunately, this subnet is also home to the BARRNet low-speed
> hub router, SU-PM1.BARRNET.NET, which is where all BARRNet low-speed (14.4KB)
> leased line and dialup sites are connected. This means that usernames and
> passwords for both BARRNet low-speed sites *and* any place that users at those
> sites may have connected may have been compromised. Fortunately, we were able
> to find the logfile (600KB and over 20,000 lines!) created by the password
> logger and have informed the system administrators for every account which it
> shows compromised.
>
>   It is important to note that even though we were able to obtain the logfile,
> we have no way of knowing whether the cracker successfully retrieved the log
> or whether it represents a full list of the accounts which have potentially
> been compromised. Because of this, we are recommending that all sites take a
> good look at their systems, particular Sun systems, as the cracker seems to
> favor them, and check for any anomalies, such as incorrect checksums on system
> binaries - /bin/login is a favorite -  or the presence of any files which
> should not be on the system - the TCP session logger, in particular, wrote
> its data to /tmp/.X11-unix/.xinitrc. Suspicious activity should be reported
> to the Computer Emergency Response Team at "cert () cert org". Note that we have
> reported all of the information we have to the CERT and have filed a police
> report in the event that the cracker is caught and prosecuted.
>
>   In an effort to prevent future attacks and to eliminate the possibility of
> potentially compromised systems at BARRNet from being used for further attacks,
> we have completely re-installed the operating system on our three servers,
> NIC1.BARRNET.NET, NIC2.BARRNET.NET, and NOC.BARRNET.NET and have installed a
> number of improved security measures which should prevent the sort of session-
> logging attack which was performed on NIC1. We have also frozen all user
> accounts on our mail server system, MAIL.BARRNET.NET, and on the news server
> system, NIC2.BARRNET.NET, and will unfreeze each account only after we have
> spoken with the account owner and assigning a new password which meets improved
> security guidelines.
>
>   Unfortunately, during our efforts to clean up after this incident, there may
> have been periods of time where mail and other services were disrupted - we'd
> like to apologize for any inconvenience that any such disruption may have
> caused, but given the serious circumstances, hope that you will understand the
> drastic steps that we had to take. Also, if you sent mail to any of the BARRNet
> service lists which was returned as undeliverable, please re-send it as we
> believe that all services should now be back to normal.
>
>   As always, if you have questions or comments about this incident or about
> any other aspect of BARRNet services, please feel free to contact us either
> by email to NOC () BARRNET NET or on the BARRNet hotline at (415) 723-7360.
>
>       Vince Fuller, BARRNet technical director

laz