Earthlink cracked!

[William Knowles <wk () C4I ORG>]

http://www.cotse.com/2152001.html

Earthlink is currently battling a recent compromise of their internal
network. Many of their internal Unix boxes have been cracked and have
had a backdoor installed, according to unnamed Earthlink admins.
Earthlink is currently working this in stealth, with the entire affair
being kept very quiet.

Administrators have been working frantically to determine the depth of
the breach. Among tasks facing administrators is the combing of files
using the strings command in an apparent attempt to determine exactly
which machines have been back doored. They have currently restricted
access to their billing database and a "jump" box named "chie". They
have also locked down what they call their "yellow" and "green"
networks.

Restricting access to their billing database means that they have it
temporarily locked down. We have heard that finance employees and
billing are currently unable to access this database unless it is
urgent. Urgent requests are temporarily required to be sent off
instead of direct access. It is unknown at this time if the billing
databases were compromised.

The compromise was apparently due to a recent SSH vulnerability that
caught them off guard. It appears that they did not react fast enough
in patching their servers and the result was a wide spread compromise.
Granted, rapidly patching many servers is a task and a half and will
not happen fast, but close monitoring of the affected service can
drastically limit damage. We hope that Earthlink managed to detect it
fast enough.

This should underscore the need for corporations with a net presence
to follow the security lists closely and address root exploits
immediately. Unfortunately most corporations still place network
security as low priority. Frequently they completely ignore it or take
weeks to respond to announced vulnerabilities. The recent Microsoft,
Intel, and now Earthlink compromises have shown that even waiting a
few days is to long.

Companies with a strong net presence should be employing a security
administrator who's sole job is to keep up with the vulnerabilities
and coordinate patching in a timely manner. Root vulnerabilities
cannot wait to wade through the mountains of internal red tape before
being addressed.

/steve
2-15-2001



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".