Over the course of three weeks in August, two Sun computers that I
manage, including the IUBio archive host, were broken into by an
Internet cracker. This person, or persons, apparently used known
security holes in the standard SunOS Unix software to gain access
via NFS, logins and full superuser privileges. This cracker then
altered important system binaries to hide his/her activities, to gain
future access and possibly just to cause me hassles. It took me
about a week of work and finally erasing and reinstalling the / and /usr
Unix partitions to clean out the damage on ftp.bio.indiana.edu. I
think the archive host is now working properly for ftp and gopher
access.
Prior to this, I had not paid much attention to security concerns
for Internet-accessible computers. I thought passwords were enough,
and there wasn't anything of interest to crackers on my computers.
My mistake. Among other things, the cracker used one of my hosts
to break into other computers, and tried to gain control of a modem
and telephone to dial out to other computers. At one point, this
cracker had broken in at several computers in USA, Australia
and possibly Norway, and was shuffling files among them as if s/he
owned them all.
To the best of my knowledge, the anonymous ftp and internet gopher
server software on ftp.bio.indiana.edu were not used by the
cracker in gaining access, but known security holes in SunOS 4.1.1
were used.
The best advice I got in dealing with these activities was from
the Computer Emergency Response Team (CERT). They keep tabs on
foul and criminal activities like I was experiencing. In Febuary
and June, they posted advisories about Internet breakins such as
this one. They also keep an archive of advisories on known security
holes and ways to patch them. I read these, installed security
patches that apply to my systems, and am now running a security
checking program (COPS) available from CERT.
For those of you who manage Unix or VMS systems, I strongly
recommend that you read thru the CERT advisories that apply to
your systems, including their general advisories on Internet
intruders, if you haven't done so recently. If you have an
Internet-connected computer, the only way to insure it isn't
broken into by bad people is to be vigilant on security.
Anonymous ftp to cert.org ((192.88.209.5),
get /pub/cert_advisories/01-README.
Internet E-mail: cert at cert.org
-- Don
--
Don Gilbert gilbert at bio.indiana.edu
biocomputing office, biology dept., indiana univ., bloomington, in 47405
