All, The following is an excerpt of a letter from Vince Fuller of BARRNET. > As some of you are no doubt aware by now, we experienced a major security > "incident" last week where a cracker successfully broke-in to the BARRNet > server system NIC1.BARRNET.NET. After break-in, the cracker managed to install > a tcpdump-like program which, running in "promiscious mode", was logging all > TCP sessions which happened to cross the BARRNet subnet where NIC1.BARRNET.NET > is located. Unfortunately, this subnet is also home to the BARRNet low-speed > hub router, SU-PM1.BARRNET.NET, which is where all BARRNet low-speed (14.4KB) > leased line and dialup sites are connected. This means that usernames and > passwords for both BARRNet low-speed sites *and* any place that users at those > sites may have connected may have been compromised. Fortunately, we were able > to find the logfile (600KB and over 20,000 lines!) created by the password > logger and have informed the system administrators for every account which it > shows compromised. > > It is important to note that even though we were able to obtain the logfile, > we have no way of knowing whether the cracker successfully retrieved the log > or whether it represents a full list of the accounts which have potentially > been compromised. Because of this, we are recommending that all sites take a > good look at their systems, particular Sun systems, as the cracker seems to > favor them, and check for any anomalies, such as incorrect checksums on system > binaries - /bin/login is a favorite - or the presence of any files which > should not be on the system - the TCP session logger, in particular, wrote > its data to /tmp/.X11-unix/.xinitrc. Suspicious activity should be reported > to the Computer Emergency Response Team at "cert@cert.org". Note that we have > reported all of the information we have to the CERT and have filed a police > report in the event that the cracker is caught and prosecuted. > > In an effort to prevent future attacks and to eliminate the possibility of > potentially compromised systems at BARRNet from being used for further attacks, > we have completely re-installed the operating system on our three servers, > NIC1.BARRNET.NET, NIC2.BARRNET.NET, and NOC.BARRNET.NET and have installed a > number of improved security measures which should prevent the sort of session- > logging attack which was performed on NIC1. We have also frozen all user > accounts on our mail server system, MAIL.BARRNET.NET, and on the news server > system, NIC2.BARRNET.NET, and will unfreeze each account only after we have > spoken with the account owner and assigning a new password which meets improved > security guidelines. > > Unfortunately, during our efforts to clean up after this incident, there may > have been periods of time where mail and other services were disrupted - we'd > like to apologize for any inconvenience that any such disruption may have > caused, but given the serious circumstances, hope that you will understand the > drastic steps that we had to take. Also, if you sent mail to any of the BARRNet > service lists which was returned as undeliverable, please re-send it as we > believe that all services should now be back to normal. > > As always, if you have questions or comments about this incident or about > any other aspect of BARRNet services, please feel free to contact us either > by email to NOC@BARRNET.NET or on the BARRNet hotline at (415) 723-7360. > > Vince Fuller, BARRNet technical director laz