|
|
|
Hello. I thought I'd take a few minutes to recap our current situation, fill in some of the gaps in the information that has been disclosed, and offer up a more focused forum for questions and answers about our current downtime. A few months back, M-Net was compromised by a user named "xdr". If I recall correctly, he took advantage of an unchecked buffer (and a local configuration boo-boo) in webyapp to gain root. After that hole was closed, mjb uncovered a back door that had been left behind. Entering "vtxdr" at the "terminal type" prompt in newuser dumped the user into a root shell prompt. M-Net's entire staff was advised of the breech, and for several days, several of us concentrated our efforts on locating any other holes that had been opened. We found none. Everything was normal for awhile. xdr showed up in party one afternoon, participating in some rather pleasant conversations with a few people. Seemed like a nice guy. He showed up at our board meeting, and introduced himself as "Jason". I commented on where I recognized his username from. A few days after our board meeting, I tried logging into M-Net, and found that my password had been changed. I contacted Rex immediately. After recovering my account, I helped casper and mjb get back online -- it turned out that every root's password had been changed, except for Rex's. We looked around for holes, but found nothing. Whatever he did, he carefully covered his tracks. Over the next few days, I periodically noticed "footprints" -- root activity on a pty with no corresponding wtmp record, etc. We started discussing strategies for securing M-Net. We came up with several ideas, and started working together some of the implementation plan. Then M-Net went down. It was decided fairly quickly that no matter what, we wanted to get some new equipment in place, and we wanted to start fresh with M-Net. Our logic was this: If M-Net was down due to hardware failure, we'd need new hardware anyways, and if M-net was down due to vandalism, we'd probably want a clean slate, too. tod coordinated the purchase of new system, rounding up financial contributions from himself, trex, jerryr and me. We collectively purchased an AMD Athlon 750MHz with 128MB of RAM, which we are donating to Arbornet. This system is currently in Rex's posession. Rex has picked up the M-Box from WWNet in Livonia. He was unable to log into the system in multi-user mode. Details of the backup process were discussed in another item. From here, the plan (as I understand it) is as follows: 1) Install FreeBSD-4 on the new M-Box, 2) Carefully compile and test all of our various 3rd party software (Yapp, Apache, Orville-Write, Party, and so forth), 3) Recover as much data as possible (user mail, conferences, user home directories, and so forth), 4) Restore M-Net to service. This is not a "snap our fingers" process. It requires a lot of skilled man-hours. We ARE doing our best to get M-Net back online as quickly as we can. I can't speak for everyone, but this was among the worst possible weeks for us to have this kind of problem, as far as my work schedule is concerned. I'm buried up to my nose at the office. I'm not sure how many more processor cycles my brain can spare towards this nightmare. Hang in there, people. We'll be back as soon as we can, bigger and better than before. Details here as available. Rex, please fill in any holes or make any corrections. I'm running on empty. Time for sleep.
123 responses total.
thanks.
it's been noted before, but to keep the update complete it should be mentioned that the hdd in the new box was donated by seldon.
Thanks for the update, Mike. Let me know if there's anything I can do to help.
Thanks for the update and thanks for all the effort. It isnt going to kill me if Mnet is down for a bit.
no...BUT I MIGHT KILL YOU.
Thanks for your hard work, guys. Take the time to do it right. Let us know if we should send pizza.
It's wonderful to hear that you, Rex, and others are doing all this, willard! FWIW, the Board unanimously approved the purchase of the new System.
GOOD JOB, KEMOSABE!
Thanks for the update, Mike. We should try to get this post into the website for folks that don't normally check Grex. BTW, I saw Jason drive away from the BoD meeting in a white Saturn with a fishing cap. If you have further info on 'xdr', please forward it to me. (We could use more root talent like his! *smirk*)
#7: To clarify, Arbornet did not purchase this system. A group of users
purchased the system and collectively donated it.
I've got a list of things I'm going to try to accomplish this afternoon.
I'll be more descriptive after I get to the office.
This response has been erased.
Do we have any reason to believe he's the one who did it? And should we be talking about this on Ann Arbor's other conferencing system, which he is presumably now reading?
Back to the topic at hand, I'm going to take care of some stuff and then head into the office. I'll be back online in awhile. I'm on ICQ at 8744004 or AIM at Smike430 if anyone needs to track me down when I'm not on Grex.
Re the xdr thing: I'd like for someone to speak to jp about what he might know. I'm also concerned about what I see as his (jp's) "I dare you to knock this chip off my shoulder" attitude he has demonstrated toward would-be hackers in party. While I have no evidence of a connection between anything he has said in party and what has happened to m-net, I have been concerned in the past that his approach might provoke others to "test" m-net, particularly after the slashdot article.
And in general, both M-Net and grex present themselves
as targets because of the talent gathered, making them
a prize to hack, an accomplishment.
For those of us who don't know much about non-PC computer models, how new/top-or-bottom-of-the-line is an Avalon? Item 32 mentioned vandalism. Was there any physical damage to the m-box, or was this just a hacking job?
This response has been erased.
heh i have no technical savvy at all. if you see anything 'intelligent' comingfro my account, you can be assured it is not i behind it. <hahaha.. now come the onslaught of wise cracks>
an unfortunate choice of terminology iggs
but i can get away with it because i dont take myself too seriously. plus i'm cute.
interesting that all the roots users pw's were changed except t-rex's-- and whywould xdr put in a backdoor that included his login id as part of it (vtxdr)? I think signs point to xdr being framed as the vandal.
This is a sensitive subject -- let's not discuss it any further, please. As soon as we're able to, we'll disclose everything we can. A lot more information is coming into light that can't/shouldn't be posted or discussed here. No more speculating.
i admit it, while i was admiring igbor's crack (i had no idea at the time it was wise) i cranked up my jr. space ranger ray gun and zapped the system. i am so ashamed.
re : 17 -- It's "Athlon", not "Avalon". And in performance tests, they consistently spank Pentium-III processors in all catagories up to 1GHz. (An Athlon 500 runs about as fast as a P-III 600, etc.)
Update: Tony Publiski (tonster) at WWNet is being very helpful in getting
some stuff in place for us. We are working on:
1) Spooling incoming E-Mail for arbornet.org (currently messages
are being returned to senders reading "arbornet.org: host
unknown".)
2) Restoring www.arbornet.org to service (minus M-Net specific
functions) -- this is done.
3) Setting up a telnet server at m-net.arbornet.org to respond
with an error message stating that M-Net is down, and to visit
our homepage for details.
If you ever read this, Tony, thanks again. :-)
thanks to everyone who has been helpin to get mnet back up and to those of you who donated to the new system, and thanks to anyone i forgot
Okay, we're in business. Mail is spooling, telnet is answering, www.arbornet.org is back up and running. Stay tuned, folks. We're getting there.
Nice message, thanks.
I have no idea why my password wasn't changed. I'm here, working hard on m-net with half a brain, and wcc's stuff with the other half. ;)
http://m-net.arbornet.org is now displaying an update.
Great!!
That rules. Great work, guys.
i just logged onto www.arbornet.org no mention of mnet being down... nor in the www.arbornet.org/m-net/
This response has been erased.
Sorry I took so long, folks. www.arbornet.org has a link to this post (#0), which is www.arbornet.org/willard_post.html I'm about to put one on m-net's homepage as well. Thanks a ton everyone. Really fucking cool of you. Really.
cool there's that familiar blue and yellow and white. this pistachio stuff's got me queasy.
i know! it's like expecting a doublestuff oreo but getting a spartan brand maple creme instead...
you don't like that shit? there isn't any color on the update post, last I checked...
| Last 40 Responses and Response Form. |
|
|
|
- Backtalk version 1.3.30 - Copyright 1996-2006, Jan Wolter and Steve Weiss