[56530] in Hotline Meeting
quickstation-3 likely compromised
daemon@ATHENA.MIT.EDU (Mitchell E Berger)
Fri Sep 21 05:21:33 2001
Message-Id: <200109210921.FAA03905@byte-me.mit.edu>
To: hotline@MIT.EDU
cc: mitchb@MIT.EDU
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 21 Sep 2001 05:21:30 -0400
From: Mitchell E Berger <mitchb@MIT.EDU>
Sorry for not sending this sooner; got sidetracked by schoolwork...
Earlier this evening I found quickstation-3 (third floor of W20) in a very
suspicious state. It was not running X, did not accept the public root
password, had several errors about the user uucp not existing on virtual
terminal 1, and responded with the infamous "You don't exist. Go away!" Linux
error message when Alt-Ctrl-Del was pressed. It responds awkwardly to athinfo
queries (I'm getting connection reset by peer errors). This looks like either
massive disk corruption or compromise to me, likely the latter. If it were
possible to tell who tried logging into the machine in this state, it might be
a good precaution to advise them to change their passwords, but I'm not sure
how you'd get this info if logins didn't succeed.
I didn't have time to do anything in the way of shutting down or labelling the
machine.
Mitch
