Not long ago, and not
entirely without preparation, the burden of monitoring
network security at my workplace was placed upon my shoulders. The following is the text of a message I recently sent to a
coworker, to tell her that her
workstation had been broken into.
Names and addresses of people and computers have been changed; names of IRC networks and countries have not. Hardlinks and some other markup have been added. The grammar is a bit rough in spots, and there's a typo or two; I've left these intact. I still find writing these messages a bit stressful.
Marie --
It appears that yourbox.example.net has been cracked, and has been since
Wednesday. The DNS tables say that this is a machine in your office.
This message is to let you know that I've blocked it from the outside
Internet, and to let you know the reasons I believe it's compromised. I
recommend that the operating system be reinstalled and upgraded to the
latest release before it be allowed on the outside Net again.
Our security monitoring software picked up a large quantity of unusual-looking IRC (Internet Relay Chat) activity from yourbox to irc.example.edu.
Specifically, it appears that yourbox is exchanging some sort of binary
data with a user named "CrAcKeR" on the EFnet IRC network. By logging
onto EFnet and querying this user's profile there, I gathered that s/he
is some sort of crook -- s/he's logged into multiple bootleg-software-trading and cracking-oriented chat channels.
On the strength of this evidence, I conducted a portscan of yourbox from
my host (mybox.example.net). This turned up several unusual open ports,
notably TCP ports 9886, 9887, and 22102. 22012 appears to be an SSH
server running on a nonstandard port; this has recently become a common
thing for crackers to install. 9886 and 9887 both seem to be running
a daemon which asks "Who are you?" when one telnets to it -- probably a
back door of some sort.
It appears that the system was cracked on Wednesday the 13th, around
5:57 AM. I'm not sure how the crack was performed. The first sign of
hostile activity I've found in the logs is an access to port 22102, the
backdoor SSH port, from a node in Israel, 127.123.45.67 (no DNS name).
There follows some FTP activity with another Israeli system, 127.234.56.78
(ftp.example.org.il); this is probably when yourbox downloaded the IRC
backdoor software. After that, it begins to access several IRC servers,
finally settling on irc.example.edu.
We recommend that when a host is compromised in this fashion, that the
operating system binaries and system configuration (crontabs, scripts,
etc.) be completely reinstalled from known-good media, then brought up
to date with the vendor's latest security patches. This is because it
is near-impossible to root out all the modifications the cracker may
have made -- backdoors, trojaned copies of system binaries, and the
like.
Sorry to be the bearer of ill news, but ... these things happen. I
hope this won't be too much more trouble. Please let me know if I can
be of any assistance in getting this system working securely again.
Thanks.