Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

Merit Joint Technical Staff

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
panix.com - Security incident

  • From: Richard Schmalgemeier
  • Date: Fri Oct 22 07:39:30 1993

As some of you may already be aware, there was a major security
incident at panix.com.  The details of that incident were posted
to usenet news groups.  The attached message, from CERT, outlines
some of what the hacker was doing, and some things to look for.  
The usenet posting from panix.com is attached at the bottom.

  - Rick Schmalgemeier -- Merit


  

 
------- Forwarded Message


You may be aware of a posting made to Usenet newsgroups by panix.com
regarding an incident that occurred at their site. I have appended
that posting for your information.  The posting indicates that the
hosts referenced in it are from an incomplete list.  We have
undertaken an analysis of all the information we have surrounding this
incident and from that have derived a complete list of the hosts
referenced.  

The intruder was known to undertake the following activity:
	
   o    Gain root access by exploiting known vulnerabilities for which
	patches or workarounds are available.

   o    Install an Ethernet snooping program on the host which snoops
	Ethernet traffic via /dev/nit (4P) and logs the first few
	packets of any incoming or outgoing telnet, rlogin, and FTP
	sessions to a file. This information typically includes the
	hostname, username, and cleartext password information for the
	connection.  This program has been seen as a process called
	"screen" (but the intruder may choose a different name) and
	logs to a file in /usr/spool/mail, a subdirectory of
	/tmp/.X11-unix, or elsewhere on the system.


The logging program captured information about legitimate connections
from panix.com to accounts at other sites, including anonymous FTP
connections, as well as connections from other sites to accounts on
panix.com.

We would suggest that you consider taking the following steps:

	1) Change the passwords on the accounts for that password
           information was captured.  [CERT is attempting to contact
           sites whose information showed up in the logs that they
           got. - rgs]

	2) Change the passwords on other accounts that have been
	   accessed from panix.com in the last month (as those
	   connections may also have been captured by the intruder at
	   an earlier date).

	3) Check your system(s) for possible signs of intrusion, check
	   your system binaries against distribution media, look
           for possible Trojans, and look for security configuration
           problems.  To assist you in this task, you may wish to
	   obtain a copy of our security checklist, that is available
	   via anonymous FTP from cert.org in the file
	   "/pub/tech_tips/security_info".

	4) Check for root processes that are consuming an unusual
	   amount of time on your system that may indicate that a
	   packet snooping program is being run on your host.  The
	   process may have a name such as screen.

	5) Ensure that your system(s) is up to date with security
	   patches and workarounds as detailed in CERT advisories, and
	   that you have corrected security configuration weaknesses
	   on your system as identified by tools such as COPS (see
	   section D of the checklist for details) or ISS (see CERT
	   advisory CA-93:14 for details).

	   A list of current CERT advisories is available via
	   anonymous FTP from cert.org in the file
	   "/pub/cert_advisories/01-README". 


If you identify signs of compromise on your systems either now or in
the future, please let us know if we can be of assistance.  

Regards,
Moira

Moira J. West
Technical Coordinator, Computer Emergency Response Team
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, Pa. 15213-3890

Internet E-mail: cert@cert.org
Telephone: 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.




- ----------------------- Start of Usenet Posting -------------------------------

Article: 327 of comp.security.unix
Xref: news.sei.cmu.edu comp.security.unix:327 comp.sys.sun.admin:22956 alt.security:12463 comp.security.misc:5657
Path: news.sei.cmu.edu!crcnis1.unl.edu!moe.ksu.ksu.edu!vixen.cso.uiuc.edu!uwm.edu!cs.utexas.edu!uunet!panix!not-for-mail
From: tls@panix.com (Thor Lancelot Simon)
Newsgroups: comp.security.unix,comp.sys.sun.admin,alt.security,comp.security.misc
Subject: Security incident -- many sites exposed.
Date: 19 Oct 1993 04:09:30 -0400
Organization: PANIX Public Access Internet and Unix, NYC
Lines: 211
Sender: root@panix.com
Message-ID: <2a07bq$5ku@panix.com>
NNTP-Posting-Host: panix.com

A cracker has used one of Panix's machines to log thousands of telnet and rlogin
sessions which originated or ended on our network.  Because hundreds of users
use Panix to connect to hundreds of other machines each day, and the sniffer
program may have been running for as long as several weeks or a month, we
believe that a security incident of very large proportion has occurred.

A _very incomplete_ list of sites which may be at risk follows.  This is
derived from only _two days_ of captured data we have discovered.  If your
site appears on this list, you should be particularly worried; at least one
account has been compromised.  If your site name does not appear on this list,
you should be especially vigilant about passwords and password expiration
nonetheless.  

Please contact CERT to obtain a complete incident report or with other
inquiries related to this manner.


panix.com => 128.122.154.9(telnet)
panix.com => 129.67.1.46(telnet)
panix.com => 143.131.190.15(telnet)
panix.com => 153.104.15.249(telnet)
panix.com => 163.231.230.1(telnet)
panix.com => 192.148.240.9(telnet)
panix.com => 192.200.0.0(telnet)
panix.com => 192.31.154.1(telnet)
panix.com => 192.35.222.222(telnet)
panix.com => 198.7.0.5(telnet)
panix.com => 198.80.32.2(telnet)
panix.com => 35.1.48.159(telnet)
panix.com => ANDREW.CMU.EDU(telnet)
panix.com => Argus.Stanford.EDU(telnet)
panix.com => BOBCAT.NYU.EDU(telnet)
panix.com => DRYCAS.CLUB.CC.CMU.EDU(telnet)
panix.com => ESPERANTO.ANDREW.CMU.EDU(telnet)
panix.com => Gauss.Math.McGill.CA(telnet)
panix.com => Grind.isca.uiowa.edu(telnet)
panix.com => JULIUS.LAW.NYU.EDU(telnet)
panix.com => LIB.MED.CORNELL.EDU(telnet)
panix.com => LIBRARY.BU.EDU(telnet)
panix.com => LIBRARY.MIT.EDU(telnet)
panix.com => LIBRARY.YCC.YALE.EDU(telnet)
panix.com => LOLA.LAW.UPENN.EDU(telnet)
panix.com => Lanka.CCIT.Arizona.EDU(telnet)
panix.com => MINERVA.CIS.YALE.EDU(telnet)
panix.com => MINTAKA.LCS.MIT.EDU(telnet)
panix.com => NIC.DDN.MIL(telnet)
panix.com => NeXT.cis.Brown.EDU(telnet)
panix.com => Osiris.AC.HMC.Edu(telnet)
panix.com => PATHMAC.MED.CORNELL.EDU(telnet)
panix.com => Princeton.EDU(telnet)
panix.com => Quake.Think.COM(telnet)
panix.com => SACC.HSCBKLYN.EDU(telnet)
panix.com => SEC.MED.UPENN.EDU(telnet)
panix.com => SUMEX-AIM.Stanford.EDU(telnet)
panix.com => Sony.COM(telnet)
panix.com => TSX-11.MIT.EDU(telnet)
panix.com => UMPG1.CIS.YALE.EDU(telnet)
panix.com => VM1.McGill.CA(telnet)
panix.com => alexia.lis.uiuc.edu(telnet)
panix.com => alsys1.aecom.yu.edu(telnet)
panix.com => alumni.cco.caltech.edu(telnet)
panix.com => animal-farm.nevada.edu(telnet)
panix.com => auvax1.adelphi.edu(telnet)
panix.com => bbsnet.com(telnet)
panix.com => bigvax.alfred.edu(telnet)
panix.com => bix.com(telnet)
panix.com => blc.lib.neu.edu(telnet)
panix.com => bolero.rahul.net(telnet)
panix.com => bonjour.cc.columbia.edu(telnet)
panix.com => brick.purchase.edu(telnet)
panix.com => bruno.cs.colorado.edu(telnet)
panix.com => bullseye.cs.williams.edu(telnet)
panix.com => calvin.abc.GOV.AU(telnet)
panix.com => cap.gwu.edu(telnet)
panix.com => ccvm.sunysb.edu(telnet)
panix.com => crash.cts.com(telnet)
panix.com => crcnis2.unl.edu(telnet)
panix.com => cs.uwp.edu(telnet)
panix.com => cyberspace.com(telnet)
panix.com => darwin.poly.edu(telnet)
panix.com => delphi.com(telnet)
panix.com => denwa.info.com(telnet)
panix.com => dialog.com(telnet)
panix.com => dorm.rutgers.edu(telnet)
panix.com => dra.com(telnet)
panix.com => ds.internic.net(telnet)
panix.com => ebb.stat-usa.gov(telnet)
panix.com => echonyc.com(telnet)
panix.com => eff.org(telnet)
panix.com => electra.cs.Buffalo.EDU(telnet)
panix.com => ellis.uchicago.edu(telnet)
panix.com => emx.cc.utexas.edu(telnet)
panix.com => fedworld.gov(telnet)
panix.com => forum.ans.net(telnet)
panix.com => freedom.NMSU.Edu(telnet)
panix.com => freenet.buffalo.edu(telnet)
panix.com => garnet.msen.com(telnet)
panix.com => gateway.morgan.com(telnet)
panix.com => gemma.wustl.edu(telnet)
panix.com => glis.cr.usgs.gov(telnet)
panix.com => hafnhaf.micro.umn.edu(telnet)
panix.com => harvardc.harvard.edu(telnet)
panix.com => hela.INS.CWRU.Edu(telnet)
panix.com => helix.nih.gov(telnet)
panix.com => hereford.cs.williams.edu(telnet)
panix.com => hme1.merit.edu(telnet)
panix.com => hmea.merit.edu(telnet)
panix.com => holonet.net(telnet)
panix.com => hotsun.nersc.gov(telnet)
panix.com => husc7.harvard.edu(telnet)
panix.com => illuminati.io.com(telnet)
panix.com => info.umd.edu(telnet)
panix.com => jack.clarku.edu(telnet)
panix.com => laphroaig.cs.hut.fi(telnet)
panix.com => leon.nrcps.ariadne-t.gr(telnet)
panix.com => lhc.nlm.nih.gov(telnet)
panix.com => library.ox.ac.uk(telnet)
panix.com => libws4.ic.sunysb.edu(telnet)
panix.com => locis.loc.gov(telnet)
panix.com => mabuhay.cc.columbia.edu(telnet)
panix.com => maelstrom.oc.com(telnet)
panix.com => magnum.cooper.edu(telnet)
panix.com => mailhub.cc.columbia.edu(telnet)
panix.com => mathlab.sunysb.edu(telnet)
panix.com => mbone.ans.net(telnet)
panix.com => mcigateway.mcimail.com(telnet)
panix.com => mclib0.med.nyu.edu(telnet)
panix.com => medlars.nlm.nih.gov(telnet)
panix.com => megalon.acs.appstate.edu(telnet)
panix.com => merhaba.cc.columbia.edu(telnet)
panix.com => mhc.mtholyoke.edu(telnet)
panix.com => mindvox.phantom.com(telnet)
panix.com => mitl.MITL.Research.Panasonic.COM(telnet)
panix.com => mono.city.ac.uk(telnet)
panix.com => namaste.cc.columbia.edu(telnet)
panix.com => nbc.wa2ndv.ampr.org(telnet)
panix.com => nervm.nerdc.ufl.edu(telnet)
panix.com => net.bio.net(telnet)
panix.com => netcom.netcom.com(telnet)
panix.com => netmail.microsoft.com(telnet)
panix.com => news.panix.com(telnet)
panix.com => nih-library.ncrr.nih.gov(telnet)
panix.com => nxoc01.cern.ch(telnet)
panix.com => nyplgate.nypl.org(telnet)
panix.com => nysernet.org(telnet)
panix.com => occs2.nlm.nih.gov(telnet)
panix.com => pac.carl.org(telnet)
panix.com => pacevm.dac.pace.edu(telnet)
panix.com => paradise.ulcc.ac.uk(telnet)
panix.com => pegasus.law.columbia.edu(telnet)
panix.com => port25.new-york.ny.pub-ip.psi.net(telnet)
panix.com => pprg.eece.unm.edu(telnet)
panix.com => psupena.psu.edu(telnet)
panix.com => psuvm.psu.edu(telnet)
panix.com => pubinfo.ais.umn.edu(telnet)
panix.com => pucc.Princeton.EDU(telnet)
panix.com => raven.dcrt.nih.gov(telnet)
panix.com => redmont.CIS.UAB.EDU(telnet)
panix.com => rhoda.fordham.edu(telnet)
panix.com => rigel.acs.oakland.edu(telnet)
panix.com => rlg.Stanford.EDU(telnet)
panix.com => rs.internic.net(telnet)
panix.com => rs5.loc.gov(telnet)
panix.com => ruby.ora.com(telnet)
panix.com => salaam.cc.columbia.edu(telnet)
panix.com => sparc-1.janus.columbia.edu(telnet)
panix.com => spiff.gnu.ai.mit.edu(telnet)
panix.com => spot.Colorado.EDU(telnet)
panix.com => st.vse.cz(telnet)
panix.com => stanley.cis.brown.edu(telnet)
panix.com => sun1.pipeline.com(telnet)
panix.com => testbed(telnet)
panix.com => tigger.jvnc.net(telnet)
panix.com => tivoli.tivoli.com(telnet)
panix.com => ts(telnet)
panix.com => uacsc2.albany.edu(telnet)
panix.com => ukanvm.cc.ukans.edu(telnet)
panix.com => unix2.tcd.ie(telnet)
panix.com => uu.psi.com(telnet)
panix.com => uxc.cso.uiuc.edu(telnet)
panix.com => vaxa.csc.cuhk.hk(telnet)
panix.com => voyager.bxscience.edu(telnet)
panix.com => well.sf.ca.us(telnet)
panix.com => whip.isca.uiowa.edu(telnet)
panix.com => wiretap.spies.com(telnet)
panix.com => wombat.gnu.ai.mit.edu(telnet)
panix.com => world.std.com(telnet)
panix.com => wyvern.wyvern.com(telnet)
panix.com => yog-sothoth.sura.net(telnet)
panix.com => zebu.cs.williams.edu(telnet)
panix.com => zone.net(telnet)
panix.com => zyxel.com(telnet)
panix.com => DRYCAS.CLUB.CC.CMU.EDU(rlogin)
panix.com => alexia.lis.uiuc.edu(rlogin)
panix.com => cardinal.Stanford.EDU(rlogin)
panix.com => carmen.phys.columbia.edu(rlogin)
panix.com => cdp.igc.org(rlogin)
panix.com => cyberspace.com(rlogin)
panix.com => echonyc.com(rlogin)
panix.com => elaine12.Stanford.EDU(rlogin)
panix.com => enterprise.bih.harvard.edu(rlogin)
panix.com => manet.eecs.uic.edu(rlogin)
panix.com => medlib.hscbklyn.edu(rlogin)
panix.com => merhaba.cc.columbia.edu(rlogin)
panix.com => netcom.netcom.com(rlogin)
panix.com => news.panix.com(rlogin)
panix.com => oinker.njit.edu(rlogin)
panix.com => testbed(rlogin)
panix.com => troi.cc.rochester.edu(rlogin)
panix.com => well.sf.ca.us(rlogin)
panix.com => woof.music.columbia.edu(rlogin)

- ----------------------- End of Usenet Posting --------------------------------

------- End of Forwarded Message

- - - - - - - - - - - - - - - - -




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.