tcpdump mailing list archives
[tcpdump-announce] November Trojan incident
From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Fri, 06 Dec 2002 15:30:55 -0500
-----BEGIN PGP SIGNED MESSAGE----- http://www.sandelman.ca/SSW/incidents/2002-november.shtml Report on incident 2002/11/10 on www.tcpdump.org Between November 7th and November 10th, there was an intrusion on lox.sandelman.ca, aka cvs.tcpdump.org. It likely occured thru either Apache+SSL (openssl was not patched. I thought I'd just turned SSL off), or via openssh. The attack resulted in the addition of a public key to several SSH authorized_keys files, including mine. On November 11th, around 10am a trojan copy of tcpdump 3.7.2 and libpcap 0.6.2 was installed using my account. This was discovered on November 12th by some Linux users in Houston, and slashdotted that night. I received notification from an Australian mirror of the furor by phone on Wednesday November 13th, unfortunately, after I'd just travelled to Atlanta for IETF55. On the afternoon of November 13th, lox.sandelman.ca was quarantined - the default route was removed, with selective connectivity enabled for specific uses. (It is my mail relay/pop mailbox server, afterall) On November 15th, proper tcpdump.org files were put online again. The machine remained quarantined until I knew that I'd be home long enough to watch it. The machine was upgraded to NetBSD 1.6 on December 2nd and 3rd, with some additional patches applied already. The default route was restored on December 3rd at 16:00. Other machines have been audited and no other situations have been seen. In general, there were too many eggs on that machine - it made it very hard to upgrade in a timely manner. There are plans to distribute the work a little more. These plans are not new - alas. If there are services (other than list searches, which continue to be broken) which you expect to have returned, then please let me know. _________________________________________________________________ ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr () sandelman ottawa on ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Finger me for keys iQCVAwUBPfEI+4qHRg3pndX9AQGS/wP/XPBO+bayY+FlIhF+CFd/tktxIzWCHB8m LPfye4w3xTBywUbq/eg18KLwnL7Pkf3UcIaHQ76ktDAqeWHVbN+HsAWNXqHqbZx0 WtqGKJwA21hAAqSOOmhdX09rARY+wtLWs8xHt4mqvTkliv3bvn2wx0afU7M+oNJ2 hu7v66aaQNk= =jF4f -----END PGP SIGNATURE----- - This is the TCPDUMP announcement list. It is archived at http://www.tcpdump.org/lists/announce/maillist.html To unsubscribe use mailto:tcpdump-announce-request () tcpdump org?body=unsubscribe - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- [tcpdump-announce] November Trojan incident Michael Richardson (Dec 06)