[436] in Athena User Interface
Re: Fwd: breakins to some MIT Linux machines (Case 185834)
daemon@ATHENA.MIT.EDU (Jonathon Weiss)
Tue Sep 19 15:07:24 2000
Message-Id: <200009191907.PAA00799@detraction.mit.edu>
From: Jonathon Weiss <jweiss@MIT.EDU>
To: "Christopher D. Beland" <beland@MIT.EDU>
cc: wdc@MIT.EDU, lcs@MIT.EDU, ops@MIT.EDU, aui@MIT.EDU
In-reply-to: Your message of "Tue, 19 Sep 2000 08:50:14 EDT."
<200009191250.IAA07058@Press-Your-Luck.mit.edu>
Date: Tue, 19 Sep 2000 15:07:18 EDT
> It was, in fact, running vanilla Redhat 6.2 with Helix Code Gnome.
> Come to think of it, I may have forgotten to install the RedHat
> post-release updates after I installed the Gnome updates, which could
> explain the fast compromise.
That is undoubtedely the problem. The crackers are probing MIT all of
the time, and you really can't afford to leave an unsecured machine on
the network at all.
> Though I'd be interested to know what
> vulnerability was used to get in. (For instance, we've yet to
> security-audit the Gnome code that makes network connections.)
According to the mail Bill forwarded, the symptoms net-security
noticed were the results of a known exploit against rpc.statd. In
general, MIT has been hammered with attacks agains rpc.statd over teh
past few weeks.
> > P.S. I guess we really DO need that test-cluster-w92 email list. If
> > Mike Barker hadn't forwarded this to me, it's unclear the news would
> > have reached the right people.
>
> That would be handy...
There's a 'test-cluster' list that purports to be fro the e40 test
cluster. Does anyone object to my adding moties and beland to it and
declaring it to be relevant? FWIW it is public and archived in a
public discuss meeting. Do we care?
Jonathon
