Chaps,

this all looks as though it might be relevant...

cheers,
c.

---------- Forwarded message ----------
Date: Thu, 7 Oct 2004 14:46:34 +0100 (BST)
From: Donald Grigor <[log in to unmask]>
To: [log in to unmask], physics linux admin <[log in to unmask]>
Subject: IMPORTANT!! Probable Compromise at RAL

Hello,

This morning we received notification from the Rutherford Appleton
Laboratories that they have had a compromised or hacked host.

If you are a user with an account at RAL, please read the mail below
immediately.  If you have logged into any machine from the RAL
domain during the period specified please:

(1) Change your password on any machine to which you connected

(2) Contact Liz McIvor ([log in to unmask]) immediately

Even if you are not at risk from logging in during the period
specified below, let me re-emphasise that you must NEVER share
passwords between accounts in Edinburgh and other locations.  If you
have shared passwords at RAL and Edinburgh, please contact Liz ASAP.

We are very anxious that users from physics may have logged into the
compromised host csfmove02.rl.ac.uk  130.246.183.133 or any other hosts at
the Rutherford labs.

Any users who may have logged into the above host MUST change their user
password. I would also advise all other users who have logged into RAL
since the end of September to change their passwords as a precaution too.

This hack looks like a direct result of the CERN hack we saw towards the
end of last month. It would suggest that local account details for RAL
were obtained from the CERN compromise and a successful attack has also
been launched on RAL.

Given that the above is a distinct possiblity I would advise all users not
to log into RAL until we have the all clear. We will advise you when RAL
consider themselves secure again.

Many thanks for your help and co-operation.

Regards,

Donald Grigor

IfP Computing Support Team.



-~~~~~~~~~~~~~~~~~~~~~~Donald Grigor~~~~~~~~~~~~~~~~~~~~~~~~
-CST, School of Physics                     ext 0131 6513 594
-Rm 2110/2, JCMB                           fax 0131 650 5902
-Kings Buildings
-Edinburgh University                      int 513 594
-EH9 3JZ
-
-NB please attach only txt, jpg, pdf + gif file types
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---------- Forwarded message ----------
Date: Thu, 7 Oct 2004 11:43:45 +0100
From: "Sansum, RA (Andrew)" <[log in to unmask]>
To: [log in to unmask]
Subject: FW: Probable Compromise at RAL

FYI

>  -----Original Message-----
> From:         Sansum, RA (Andrew)
> Sent: 07 October 2004 11:41
> To:   [log in to unmask]; [log in to unmask]
> Subject:      Probable Compromise at RAL
>
> We received a report this morning from offsite of suspect activity from
> our host:
>
> csfmove02.rl.ac.uk  130.246.183.133
>
> Initial investigations at RAL show outbound network activity to:
>
> dst=193.110.95.1:6667
>
> Since the 1st October 13:03.
>
> Investigations on the host show a klogd running apparently as user
> bfactory (A Babar
> production ID). chkrootkit sugests LKM is installed and thus a possible
> compromise -
> chkrootkit can give false positives.
>
> - We have taken the system off the network
> - We are carrying out more detailed investigations to confirm exactly what
> has gone on.
> - We have disabled the bfactory ID
>
> We will obviously be looking at other hosts in the cluster. We are also
> checking logs
> to see what userids have traversed the system since the intrusion began.
>
> Host is running Redhat 7.2 patched up to date with Fedora Legacy.
>
> We will post more as soon as we have additional information.
>
> Regards
> Andrew Sansum
> Tier1 Manager