[41783] in Hotline Meeting
Re: Athena Account Hacked
daemon@ATHENA.MIT.EDU (Michael L Barrow)
Sat Feb 7 19:09:00 1998
Date: Sat, 7 Feb 1998 19:08:56 -0500
From: Michael L Barrow <mlbarrow@MIT.EDU>
To: Stead Kiger <wskiger@MIT.EDU>
Cc: stopit@MIT.EDU, hotline@MIT.EDU, net-security@MIT.EDU
In-Reply-To: "[4327] in Stop It"
I believe that my Athena account was accessed by an unauthorized user early
this morning. When I logged into the express dialup server today, I noticed
that the server reported that I had last logged in from java.harvard.edu. I
don't have access to this or any other computers on the Harvard main campus
and was asleep at the time that the unauthorized access occurred. The
We will follow up with the computing staff at Harvard to let them know
that your account was compromised and that they should look into things
on their end.
several hours after I logged out last night. Although I haven't checked
carefully for any missing files, nothing appears to have been harmed at
first glance.
That's good. If you find any strange files that look like they might be
part of a cracking toolkit, please drop a line to
net-security@mit.edu. If you find that you're missing files, please drop
a line to ops@mit.edu to see if they can assist you with retrieving
files from a backup.
I have attached below the transcript of my most recent athena login that
shows the remote access. I have (obviously) changed my kerberos password to
hopefully prevent further attacks.
I hope that you changed your password securely by using a kpasswd client
either from the console of a machine or over an encrypted login
session.
UNIX(r) System V Release 4.0 (mass-toolpike) (pts/18)
Warning: this session is NOT encrypted!
login: wskiger
Password for wskiger:
Last login: Sat Feb 7 03:00:46 from java.harvard.edu
In general, you should be using encrypted telnet when you log
into machines over the network. I noticed that the session in your
transcript was unencrypted. This is the method by which the rogue users
obtain passwords. You *MUST* use encrypted logins!!!
If you have further questions about any of this, please drop a line to
net-security@mit.edu.
Thanks,
michael
Michael L. Barrow (michael@mit.edu)
Network Engineer
MIT Network Operations
