[57526] in Hotline Meeting
Re: Case 246871: This case has recently been updated
daemon@ATHENA.MIT.EDU (Ruaidhri O'Connor)
Wed Dec 5 00:49:50 2001
Message-Id: <200112050549.AAA19294@m1-142-7.mit.edu>
To: Mark Silis <mark@MIT.EDU>
cc: hotline@MIT.EDU, network@MIT.EDU, larugsi@MIT.EDU
In-Reply-To: Your message of "Wed, 05 Dec 2001 00:08:48 EST."
<20011205000848.A10143@I-fear-reorgs.MIT.EDU>
Date: Wed, 05 Dec 2001 00:49:47 -0500
From: "Ruaidhri O'Connor" <rmoc@MIT.EDU>
Hi,
I have contacted security who informed me that
because of a security breach on my machine the net drop
will remain offline until I have reinstalled a secure OS.
I am taking these steps tonight.
Thank you for you help in identifying the problem.
The person I communicated with last was "Linda A. LeBlanc" <leblancl@MIT.EDU>
Below is our communication.
- Rory
>---------------------------------------------------
>Ruaidhri M. O'Connor, ScD
>Assistant Professor
>Dept. Civil & Environmental Engineering
>Massachusetts Institute of Technology, Room 1-174
>Cambridge, MA 02139
>USA
>
>Phone: 1-617-482-3395
>Fax: 1-617-253-6324
>email: rmoc@mit.edu
>---------------------------------------------------
Hi Prof. O'Connor
I just have a couple of questions about the
circumstances surrounding your compromise.
I am not completely familiar with the case and
would like for you to clarify a couple of things
for me if possible.
I only have evidence of knowledge of a compromise
dating from 1 Dec. We currently list an Anthee
Travers as a contact for this machine. He or she
was notified at approximately 2 am on 1 Dec.
Why this information was not relayed to you,
we don't know. If you wish to have the contact
information changed to your name, let me know
and I'll fix it.
You make a reference to an
outside complaint wherein you told them
they had been compromised. Could you explain
the details of this exchange for me, so that
we can improve our reporting and forensics
procedures?
When you have completed the reinstallation of
zmb.mit.edu, please let us know and we will
reenable your drop.
Thank you for your timely cooperation in this
matter, and for helping us understand the
route this compromise has taken.
If you have any other questions or concerns
please let me know, and we'll get them worked
out.
Linda LeBlanc for security@mit.edu
PS. Please be sure to include the case
number in the subject line.
--------------------------------------------------------------
Dear Linda,
Thanks for your response. I will contact my AO to determine
why I was not informed of the network deactivation.
It certainly appears that someone dropped the ball on my end
regarding notification. Sorry for the confusion.
Regarding the outside complaint:
When the breakin occurred I traced the access point to datapipe.net
I sent email to them and security but it appears that I sent my email
to the wrong address (I do not use my linux box for mail and did not
notice the failure to get the note to you). I was also out of the
loop that week in the infirmary which obfuscated the matter even more
(i.e. the person was unhindered for several days over the break).
The breach involved the ssh CRC32 crack (which I am now aware of).
The person installed a directory at the root level called salvia
which contained code to install a kernel module and enable a
transparanet TCP backdoor to my system. I believe I disabled this
on discovery but as you note, a complete reinstall in required to
ensure hygeine.
The source code included the names Salvia Divinorum (sic)
and references the sites: www.ezlink.com/ - an ISP in CO
and references the sites: www.ezlink.com/ - an ISP in CO
mixter.warrior2k.com - a security site
I still have the message logs and salvia directory if they are of any
use. My kernel was certainly corrupted as was evident from the dmesg
log.
Regards,
- Ruaidhri
Here is a summary of what I looked up:
Nov 23 10:06:57 zmb sshd[19832]: fatal: Local: crc32 compensation
attack: network attack detected
Nov 23 10:06:57 zmb sshd[19833]: log: Connection from 64.27.88.120
port 3666
Nov 23 10:06:57 zmb sshd[19833]: log: Could not reverse map address
64.27.88.120
and traceroute:
traceroute to 64.27.88.120 (64.27.88.120), 30 hops max, 38 byte packets
1 B24-RTR-2-1.MIT.EDU (18.58.0.1) 0.354 ms 0.672 ms 0.270 ms
2 EXTERNAL-RTR-BACKBONE.MIT.EDU (18.168.0.18) 3.833 ms 2.394 ms
2.339 ms
3 ATM10-420-OC12-GIGAPOPNE.NOX.ORG (192.5.89.9) 3.457 ms 2.526 ms
2.137 ms
4 QWEST-GIGAPOPNE.NOX.ORG (192.5.89.66) 212.899 ms 199.788 ms
199.633 ms
5 bos-core-02.inet.qwest.net (205.171.28.33) 190.542 ms 190.379 ms
187.746 ms
6 jfk-core-02.inet.qwest.net (205.171.8.20) 196.260 ms 206.010 ms
197.362 ms
7 jfk-core-03.inet.qwest.net (205.171.230.10) 187.371 ms 195.605
ms 198.896 ms
8 ewr-core-03.inet.qwest.net (205.171.5.89) 202.440 ms 200.039 ms
181.506 ms
9 ewr-cntr-02.inet.qwest.net (205.171.17.150) 189.545 ms 196.603
ms 188.872 ms
10 msfc-22.ewr.qwest.net (63.146.100.42) 195.966 ms 183.968 ms
189.321 ms
11 core1.ewr.datapipe.net (63.236.25.174) 179.958 ms 198.735 ms
201.385 ms
12 aggr1.ewr.datapipe.net (216.109.128.11) 196.848 ms 193.181 ms
190.099 ms
13 64.27.88.120 (64.27.88.120) 195.026 ms 187.384 ms 196.066 ms
