We were contacted via e-mail by a person in Maryland with a complaint about abusive messages that she had received on IRC (Internet Relay Chat). The address associated with the messages made her think this was probably a York University user and that perhaps we could excert some sort of civilizing force on this person. Closer inspection of the SUN system where the message came from showed that there were several processes running that we could not account for. Further investigation uncovered a logfile of captured TCP/IP packets that were being sniffed off of the local CCIS Ethernet. This logfile contained a number of userids and passwords, many of them with easy access to elevated privileges on various systems at this site. At this point we pulled the plug on our connection to the Internet and on our modem pool while we researched the extent of the penetration. What we know: Using knowledge and cracking tools available on the Internet, the intruder set up sniffer programs to capture account and password information, backdoor programs to allow re-entry if we changed the passwords on the authorized accounts and modified system programs to erase the tracks left by his action. To date, we have only found evidence that the intruder broke into the 3 CCIS SUNs. What we are doing: We are changing all passwords on systems on the Ethernets in common with the compromised machines, and also the passwords of the same users' accounts elsewhere at York. We are also changing all passwords that appear in the intruder's trace logs. We are testing all UNIX systems at York for the backdoor password (beginning with SPARC's running SunOS 4.x) and searching for the packet-trace logs on other UNIX systems in this department (no hits yet). We are keeping inbound Internet access restricted (at our border gateway) to only SMTP, NTP, NNTP and ICMP until we complete our clean-up which we expect to complete by late today. EMail and News are coming into York but telnet, FTP and WWW access to York from off campus are not yet available. This does not affect network activity within the York campus net. Susan Spence Director, User Services Computing, Communications & Instructional Services