The Aerie
Well, THIS has been an interesting week!
It started on Wednesday when I had insomnia. Couldn't sleep. So at
2:30 a.m. I wandered over to the console and started poking around at
my computer... and I saw this
Jul 5 18:32:22 albatross PAM_pwdb[23827]: password for (root/0) changed by ((n
ull)/0)
Jul 5 18:42:47 albatross useradd[23890]: new group: name=chatx, gid=507
Jul 5 18:42:47 albatross useradd[23890]: new user: name=chatx, uid=507, gid=50
7, home=/home/chatx, shell=/bin/bash
Jul 5 18:43:06 albatross PAM_pwdb[23891]: password for (chatx/507) changed by
((null)/0)
Well, given that it was 2:30 a.m. at the time, the hackers had had
plenty of time to screw around in the system. I found new
directories, downloaded software, etc.
Fortunately Linux, while it has many holes in its OS, has a fairly
healthy recovery mechanism, and every time the hackers screwed up a
connection it locked them out, and they had to get back in through
another computer. By the time they logged out after six hours, they'd
added several entries to the table of automatic exclusions.
Well, I spent a couple of busy days tightening up the system's
security and [1]notifying the authorities, who reacted with
astonishing speed and fortitude (i.e. I have yet to hear anything
back).
It was my own fault, really. A case of "the cobbler's children are
the last ones shod": here I am this big security wanker, and I let my
system sit unpatched for months.
Well, part of it was deliberate. The system is well-backed-up and
doesn't have anything proprietary on it -- no credit cards, no defense
department secrets, etc., -- and I was kind of using it as a "honey
pot," a lure to draw in hackers. Why? Well, I wanted to see just how
"real" the security threat is.
And it's quite real, as I learned! The system has only been up for
six weeks and it has already been hacked. And in this case, by a
bunch of guys from Kuwait!
At least, that's how it appears. Granted, they're probably guys from
Schenectady who simply hacked into a bunch of computers in Kuwait.
It's hard to tell based on their hours: they seem to keep Western
hours. But they're also persistent. How persistent? Well, I
battened down the hatches almost two days ago now, but...
Jul 7 20:47:09 albatross in.telnetd[5181]: refused connect from access2-16.kun
iv.edu.kw
Jul 7 20:47:31 albatross in.telnetd[5182]: refused connect from access2-16.kun
iv.edu.kw
Yep, that's about an hour ago. They keep at it. And I keep calling
them in. Using skills developed over years of turning in spammers, I
quickly report new connection attempts to the IT staff at the various
places they try to reach me from. Today they hacked through a
SOCKS-proxy at a Texas engineering firm -- that's shut down now. And
I've been having a great series of chats with peopel at UUNet,
University of Kuwait, Time Warner, and other locations.
But I'm learning, too. Having my clock synchronized is important -- I
found out I'm several minutes off, which makes it hard for them to
review their connection logs. Letting the folks on the other end know
what time zone I'm in is important.
So, that's why the latest long-gap in updates. Annoying, but it has
been a good spur to get me to do things that need doing, securing the
box and learning the ropes. And while CERT has be unresponsive, and
SANS is too busy throwing their latest shindig to answer their phones,
the folks at the regional institutions have been very responsive.
UUNet keeps telling me "they've dealt with the situation in accordance
with their AUP," which I assume means they closed some poor bastard's
account who didn't know who he was even hacked.
Anyway, if you're one of the guys trying to hack me, it's okay to stop
now.
[2]Last
Posted by Albatross at July 7, 2000 12:00 AM