?

Log in

No account? Create an account
Apr. 14th, 2004 @ 05:38 pm Ah, the joys of being pwn3d
Tags:
Being relatively computer savvy, and generally having reasonable security practices, I figured that I wasn’t going to be hit by hackers and worms that are floating around on the internet. After all, I don’t do any work or leave anything important on machines that I use. And yet, last week, machines under my control managed to be backed. One was being hosted at CMU and the other was being hosted at a collocation provider that I use. Dealing with these has led me to think quite a bit more about computer security, and thus here are my own lessons learned combined with stuff that I already knew but felt were relevant for good measure. These are the more general ones, and maybe others will get something out of them.

Legitimate users will try to avoid the hassles caused by your security, and take shortcuts in order to compromise your security.
Once someone has local access, they can gain root access very easily and then begin to wreck havoc.
Make it a habit to check for suspicious activity by looking for strange login locations, extra open ports and the like.
Don’t assume that remote machines are secure and try to limit authentication between such untrustworthy machines.
In fact, try to assume that your local machine is insecure and devise your security strategy from there.
Logs are a wonderful thing to look through to determine point of entry and how they went through the system.
Hackers can move quickly from system to system(this one took about 3 minutes to get a rootkit named Suckit onto the machine).

Course the fact that many IT people(who are paid to do this type of work in high profile educational institutions) also got pwned by the same people, like Stanford, UIUC, CMU, UPenn, as well as many other facilities in TeraGrid, a supercomputing project. There’s even an FBI investigation going on, and news of this is even available at the Washington Post here
About this Entry
South Park Style
[User Picture Icon]
From:dwchang
Date:April 14th, 2004 02:41 pm (UTC)
(Permanent Link)
So what did they do to your machine? Hopefully nothing too severe.
[User Picture Icon]
From:bogosort
Date:April 14th, 2004 02:44 pm (UTC)
(Permanent Link)
Oh, just installed a rootkit. They were pretty sloppy in leaving stuff lying around(or maybe they were trying to appear sloppy so we wouldn't find out about the more sekrit stuff that they put on there). Wasn't that hard to trace the original point of entry to be from the AI lab at UIUC. =P Problem is, once a machine gets rooted, you have to assume that everything on it is tainted, and the best thing to do is to reinstall(which made the colo that it's being hosted at quite happy).
[User Picture Icon]
From:dwchang
Date:April 14th, 2004 02:47 pm (UTC)
(Permanent Link)
Glad to see folks at my alma-mater doing such nice things :-/.

Well I'm glad it wasn't worse than just that if that's any consolation *shrug*. I better go through my logs soon too.
[User Picture Icon]
From:bogosort
Date:April 14th, 2004 02:52 pm (UTC)
(Permanent Link)
Bah, it's not like folks from there were doing anything. Mostly that their machine was involved(because it was hacked previously). Most hackers big enough to warrant an FBI investigation do a bit of hopping around computer systems to make it much more difficult to trace their whereabouts.

If you're on the unixside though, I'd highly recommend you run a utility called chkrootkit. It's fairly good at detecting such nasty things on your machine.
[User Picture Icon]
From:winddancer
Date:April 14th, 2004 03:10 pm (UTC)
(Permanent Link)
Hooray for a**holes with too much time on their hands!!

If they could lend me some of their time I might like, pass college!
[User Picture Icon]
From:bogosort
Date:April 15th, 2004 10:18 am (UTC)
(Permanent Link)
The sad part is that many of the people who do such things are stupid 15 year olds who've never set foot inside of a college campus(actually they probably never will).