Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Compromised boxes on cwru.edu -- resolved

From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Fri, 18 Aug 2000 15:33:51 -0400
Good afternoon, everyone,

This is an informational memo to the INCIDENTS list at SecurityFocus, CERT
(US), the UNISOG list (from SANS) and the GIAC (also from SANS).

Recently, the domain cwru.edu suffered some network difficulties which,
when investigated, turned out to be caused by several compomised machines
scanning external hosts, which flooded the tables of the gateway device,
causing it to fail. This is an informational note to state that the
compromised machines have been found and the situation is being resolved.

The affected machines were in the 129.22.89/24 network, corresponding to
*.gene.cwru.edu, part of cwru.edu (129.22/16). Unauthorized access was
gained via the ProFTPd exploit running around in the wild. The machines in
question, approximately 16 machines, comprise a batch processing system
currently being set up for data analysis. The intruder began scanning off
site hosts and spoofing all addresses in the 129.22.89/24 range, which
caused significant network troubles for the unaffected machines. Access
was gained at the end of July, 2000, and hostile activities happened for
approximately 2 weeks.

The machines are currently offline and being reinstalled and hardened. A
topology change is being implemented for the cluster and much stronger
security measures taken to ensure this doesn't happen again.

If you have seen hostile or scanning traffic from this network range
(129.22.89/24), this is the most likely explaination for it. If you
continue to see hostile activity from this range or any of the CWRU
network (129.22/16), please do not hesitate to contact our local domain
contact, Mr Jeff Gumpf:

   Administrative Contact, Technical Contact, Zone Contact:
      Gumpf, Jeffrey A  (JAG3)  Gumpf () INS CWRU EDU
      Case Western Reserve University
      Campus Communications Network - Network
      Services
      Crawford Hall, Room 426
      Attn:
      Jeff Gumpf
      Cleveland, OH 44106
      (216) 368-2982

Once again, the issue should be resolved now, and this note serves to
explain activity some of you may have seen.

Thanks for your understanding,

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Previous By Date Next
Previous By Thread Next

Current thread: