LISTSERV - YORK-ANNOUNCE-L Archives

YORK-ANNOUNCE-L Archives

York U. announcements list - READ ONLY

YORK-ANNOUNCE-L@YORKU.CA

	LISTSERV Archives
	YORK-ANNOUNCE-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Update on Network Breakin
From:	Susan Spence <[log in to unmask]>
Reply To:	York U. announcements list - READ ONLY
Date:	Thu, 1 Jun 1995 15:53:38 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (50 lines)

We were contacted via e-mail by a person in Maryland with a complaint
about abusive messages that she had received on IRC (Internet Relay
Chat).  The address associated with the messages made her think this was
probably a York University user and that perhaps we could excert some
sort of civilizing force on this person.
 
Closer  inspection of the SUN system where the message came from showed
that there were several processes  running that we could not account
for.  Further investigation uncovered a logfile of captured TCP/IP
packets that were being sniffed off of the local CCIS Ethernet.  This
logfile contained a number of userids and passwords, many of them with
easy access to elevated privileges on various systems at this site.
 
At this point we pulled the plug on our connection to the Internet and
on our modem pool while we researched the extent of the penetration.
 
What we know:
 
Using knowledge and cracking tools available on the Internet, the
intruder set up sniffer programs to capture account and password
information, backdoor programs to allow re-entry if we changed the
passwords on the authorized accounts and modified system programs to
erase the tracks left by his action.
 
To date, we have only found evidence that the intruder broke into the 3
CCIS SUNs.
 
What we are doing:
 
We are changing all passwords on systems on the Ethernets in common with
the compromised machines, and also the passwords of the same users'
accounts elsewhere at York.  We are also changing all passwords that
appear in the intruder's trace logs.
 
We are testing all UNIX systems at York for the backdoor password
(beginning with SPARC's running SunOS 4.x) and searching for the
packet-trace logs on other UNIX systems in this department (no hits
yet).
 
We are keeping inbound Internet access restricted (at our border
gateway) to only SMTP, NTP, NNTP and ICMP until we complete our clean-up
which we expect to complete by late today.  EMail and News are coming
into York but telnet, FTP and WWW access to York from off campus are not
yet available.  This does not affect network activity within the York
campus net.
 
Susan Spence
Director, User Services
Computing, Communications & Instructional Services

ATOM RSS1 RSS2

LISTSERV.YORKU.CA