Not long ago, and not entirely without preparation, the burden of monitoring network security at my workplace was placed upon my shoulders. The following is the text of a message I recently sent to a coworker, to tell her that her workstation had been broken into.

Names and addresses of people and computers have been changed; names of IRC networks and countries have not. Hardlinks and some other markup have been added. The grammar is a bit rough in spots, and there's a typo or two; I've left these intact. I still find writing these messages a bit stressful.


Marie --

It appears that yourbox.example.net has been cracked, and has been since Wednesday. The DNS tables say that this is a machine in your office. This message is to let you know that I've blocked it from the outside Internet, and to let you know the reasons I believe it's compromised. I recommend that the operating system be reinstalled and upgraded to the latest release before it be allowed on the outside Net again.


Our security monitoring software picked up a large quantity of unusual-looking IRC (Internet Relay Chat) activity from yourbox to irc.example.edu. Specifically, it appears that yourbox is exchanging some sort of binary data with a user named "CrAcKeR" on the EFnet IRC network. By logging onto EFnet and querying this user's profile there, I gathered that s/he is some sort of crook -- s/he's logged into multiple bootleg-software-trading and cracking-oriented chat channels.

On the strength of this evidence, I conducted a portscan of yourbox from my host (mybox.example.net). This turned up several unusual open ports, notably TCP ports 9886, 9887, and 22102. 22012 appears to be an SSH server running on a nonstandard port; this has recently become a common thing for crackers to install. 9886 and 9887 both seem to be running a daemon which asks "Who are you?" when one telnets to it -- probably a back door of some sort.

It appears that the system was cracked on Wednesday the 13th, around 5:57 AM. I'm not sure how the crack was performed. The first sign of hostile activity I've found in the logs is an access to port 22102, the backdoor SSH port, from a node in Israel, 127.123.45.67 (no DNS name). There follows some FTP activity with another Israeli system, 127.234.56.78 (ftp.example.org.il); this is probably when yourbox downloaded the IRC backdoor software. After that, it begins to access several IRC servers, finally settling on irc.example.edu.


We recommend that when a host is compromised in this fashion, that the operating system binaries and system configuration (crontabs, scripts, etc.) be completely reinstalled from known-good media, then brought up to date with the vendor's latest security patches. This is because it is near-impossible to root out all the modifications the cracker may have made -- backdoors, trojaned copies of system binaries, and the like.

Sorry to be the bearer of ill news, but ... these things happen. I hope this won't be too much more trouble. Please let me know if I can be of any assistance in getting this system working securely again.

Thanks.