|
Grex > Mnet > #35: M-Net Downtime Update -- 06/07/2000 | |
|
| Author |
Message |
willard
|
|
M-Net Downtime Update -- 06/07/2000
| 
Jun 7 05:24 UTC 2000 |
Hello. I thought I'd take a few minutes to recap our current situation,
fill in some of the gaps in the information that has been disclosed, and
offer up a more focused forum for questions and answers about our current
downtime.
A few months back, M-Net was compromised by a user named "xdr". If I
recall correctly, he took advantage of an unchecked buffer (and a local
configuration boo-boo) in webyapp to gain root. After that hole was
closed, mjb uncovered a back door that had been left behind. Entering
"vtxdr" at the "terminal type" prompt in newuser dumped the user into a
root shell prompt.
M-Net's entire staff was advised of the breech, and for several days,
several of us concentrated our efforts on locating any other holes that
had been opened. We found none.
Everything was normal for awhile.
xdr showed up in party one afternoon, participating in some rather
pleasant conversations with a few people. Seemed like a nice guy. He
showed up at our board meeting, and introduced himself as "Jason". I
commented on where I recognized his username from.
A few days after our board meeting, I tried logging into M-Net, and found
that my password had been changed. I contacted Rex immediately. After
recovering my account, I helped casper and mjb get back online -- it
turned out that every root's password had been changed, except for Rex's.
We looked around for holes, but found nothing. Whatever he did, he
carefully covered his tracks. Over the next few days, I periodically
noticed "footprints" -- root activity on a pty with no corresponding wtmp
record, etc.
We started discussing strategies for securing M-Net. We came up with
several ideas, and started working together some of the implementation
plan. Then M-Net went down.
It was decided fairly quickly that no matter what, we wanted to get some
new equipment in place, and we wanted to start fresh with M-Net. Our
logic was this: If M-Net was down due to hardware failure, we'd need new
hardware anyways, and if M-net was down due to vandalism, we'd probably
want a clean slate, too.
tod coordinated the purchase of new system, rounding up financial
contributions from himself, trex, jerryr and me. We collectively
purchased an AMD Athlon 750MHz with 128MB of RAM, which we are
donating to Arbornet. This system is currently in Rex's posession.
Rex has picked up the M-Box from WWNet in Livonia. He was unable
to log into the system in multi-user mode. Details of the backup
process were discussed in another item.
From here, the plan (as I understand it) is as follows:
1) Install FreeBSD-4 on the new M-Box,
2) Carefully compile and test all of our various 3rd party software (Yapp,
Apache, Orville-Write, Party, and so forth),
3) Recover as much data as possible (user mail, conferences, user home
directories, and so forth),
4) Restore M-Net to service.
This is not a "snap our fingers" process. It requires a lot of skilled
man-hours. We ARE doing our best to get M-Net back online as quickly as
we can.
I can't speak for everyone, but this was among the worst possible weeks
for us to have this kind of problem, as far as my work schedule is
concerned. I'm buried up to my nose at the office. I'm not sure how many
more processor cycles my brain can spare towards this nightmare.
Hang in there, people. We'll be back as soon as we can, bigger and better
than before. Details here as available. Rex, please fill in any holes or
make any corrections. I'm running on empty. Time for sleep.
|
| 123 responses total. |
happyboy
|
|
response 1 of 123:
|
Jun 7 11:05 UTC 2000 |
thanks.
|
jerryr
|
|
response 2 of 123:
|
Jun 7 11:05 UTC 2000 |
it's been noted before, but to keep the update complete it should be mentioned
that the hdd in the new box was donated by seldon.
|
jmsaul
|
|
response 3 of 123:
|
Jun 7 12:36 UTC 2000 |
Thanks for the update, Mike. Let me know if there's anything I can do to
help.
|
slynne
|
|
response 4 of 123:
|
Jun 7 12:52 UTC 2000 |
Thanks for the update and thanks for all the effort. It isnt going to kill
me if Mnet is down for a bit.
|
happyboy
|
|
response 5 of 123:
|
Jun 7 13:09 UTC 2000 |
no...BUT I MIGHT KILL YOU.
|
realtao
|
|
response 6 of 123:
|
Jun 7 14:11 UTC 2000 |
Thanks for your hard work, guys. Take the time to do it right. Let
us know if we should send pizza.
|
dpc
|
|
response 7 of 123:
|
Jun 7 14:13 UTC 2000 |
It's wonderful to hear that you, Rex, and others are doing all
this, willard! FWIW, the Board unanimously approved the purchase
of the new System.
|
happyboy
|
|
response 8 of 123:
|
Jun 7 14:36 UTC 2000 |
|
happyboy
|
|
response 9 of 123:
|
Jun 7 14:37 UTC 2000 |
GOOD JOB, KEMOSABE!
|
tod
|
|
response 10 of 123:
|
Jun 7 14:41 UTC 2000 |
Thanks for the update, Mike. We should try to get this post into the
website for folks that don't normally check Grex.
BTW, I saw Jason drive away from the BoD meeting in a white Saturn with
a fishing cap. If you have further info on 'xdr', please forward it to me.
(We could use more root talent like his! *smirk*)
|
willard
|
|
response 11 of 123:
|
Jun 7 14:45 UTC 2000 |
#7: To clarify, Arbornet did not purchase this system. A group of users
purchased the system and collectively donated it.
I've got a list of things I'm going to try to accomplish this afternoon.
I'll be more descriptive after I get to the office.
|
willard
|
|
response 12 of 123:
|
Jun 7 14:47 UTC 2000 |
This response has been erased.
|
jmsaul
|
|
response 13 of 123:
|
Jun 7 14:58 UTC 2000 |
Do we have any reason to believe he's the one who did it? And should we be
talking about this on Ann Arbor's other conferencing system, which he is
presumably now reading?
|
willard
|
|
response 14 of 123:
|
Jun 7 15:03 UTC 2000 |
Back to the topic at hand, I'm going to take care of some stuff and then
head into the office. I'll be back online in awhile. I'm on ICQ at
8744004 or AIM at Smike430 if anyone needs to track me down when I'm not
on Grex.
|
cyklone
|
|
response 15 of 123:
|
Jun 7 16:48 UTC 2000 |
Re the xdr thing: I'd like for someone to speak to jp about what he might
know. I'm also concerned about what I see as his (jp's) "I dare you to
knock this chip off my shoulder" attitude he has demonstrated toward
would-be hackers in party. While I have no evidence of a connection
between anything he has said in party and what has happened to m-net, I
have been concerned in the past that his approach might provoke others to
"test" m-net, particularly after the slashdot article.
|
jor
|
|
response 16 of 123:
|
Jun 7 16:56 UTC 2000 |
And in general, both M-Net and grex present themselves
as targets because of the talent gathered, making them
a prize to hack, an accomplishment.
|
don
|
|
response 17 of 123:
|
Jun 7 17:05 UTC 2000 |
For those of us who don't know much about non-PC computer models, how
new/top-or-bottom-of-the-line is an Avalon?
Item 32 mentioned vandalism. Was there any physical damage to the m-box, or
was this just a hacking job?
|
jp2
|
|
response 18 of 123:
|
Jun 7 17:14 UTC 2000 |
This response has been erased.
|
iggy
|
|
response 19 of 123:
|
Jun 7 17:23 UTC 2000 |
heh
i have no technical savvy at all.
if you see anything 'intelligent' comingfro my account, you can
be assured it is not i behind it.
<hahaha.. now come the onslaught of wise cracks>
|
jor
|
|
response 20 of 123:
|
Jun 7 18:00 UTC 2000 |
an unfortunate choice of terminology iggs
|
iggy
|
|
response 21 of 123:
|
Jun 7 18:08 UTC 2000 |
but i can get away with it because i dont take myself too seriously.
plus i'm cute.
|
richard
|
|
response 22 of 123:
|
Jun 7 18:24 UTC 2000 |
interesting that all the roots users pw's were changed except t-rex's--
and whywould xdr put in a backdoor that included his login id as part of
it (vtxdr)? I think signs point to xdr being framed as the vandal.
|
willard
|
|
response 23 of 123:
|
Jun 7 18:32 UTC 2000 |
This is a sensitive subject -- let's not discuss it any further, please.
As soon as we're able to, we'll disclose everything we can. A lot more
information is coming into light that can't/shouldn't be posted or
discussed here. No more speculating.
|
jerryr
|
|
response 24 of 123:
|
Jun 7 18:32 UTC 2000 |
i admit it, while i was admiring igbor's crack (i had no idea at the time it
was wise) i cranked up my jr. space ranger ray gun and zapped the system.
i am so ashamed.
|