 |
 |
> -----Original Message----- > From: LHC Computer Grid - Rollout > [mailto:[log in to unmask]] On Behalf Of > Dimitris Zilaskos > Sent: Tuesday, July 11, 2006 7:58 PM > To: [log in to unmask] > Subject: Re: [LCG-ROLLOUT] Intrusion at RAL-LCG2 > > Hello, > Sansum, RA (Andrew) wrote: > > On the 8th July at 16:21 an unauthorised person logged onto > one of our > > users accounts (user: HSWC Tseung id: wan) from host > fig.chaw.com to our host lcgui0358.gridpp.rl.ac.uk. > > fig.chaw.com is also implicated in another incident at Imperial > > College (which I am told does not directly impactthe > Tier-2). We have asked for the hostto be blocked at the > firewall but the dig information is worrying. > > This and the report from LIP may be coincidence but it > worths investigation. I also searched for this ip address in > our logs, so far nothing came up. > Has [log in to unmask] and/or > [log in to unmask] been informed? I havent > seen any e-mail but my mailbox is so busy those days:) > > > > > So far we have found no evidence that they gained root > access, however > > they poked around for about 8 minutes and almost certainly > took a copy > > of our password file (wchich is regularly cracked by us so > is pretty tight in the short term). We are still carrying out > checks to see what else we can find. > > We are also considering what to do about the password file > but as a minimum will be advising password changes. > > I am a bit confused. By password file do you mean > /etc/passwd? If my > (bad) memory serves well, /etc/passwd files containing > password hashes have been obsolete since mid 90s. If you have > a modern unix system, /etc/shadow is the file containing the > actual password hashes and is only readable by root. A copy > of /etc/passwd does not reveal any more information than what > is already available to any regular user of the system. We believe from the fact that the account logs show several 'ypcat', the intruder copied our NIS maps. The system does indeed not have passwords in /etc/password, and /etc/shadow is not user-accessible. > Also, by "cracked by us" do you mean you are running > tools like john against your /etc/shadow? We have a cracking engine running against our password 'file' where 'file' is the NIS passwords list. I'm not going to divulge in public what technology we use. > In my experience > users are uncomfortable with such practices (and in some > countries this is a grey legal area involving privacy > issues). A more convenient and easy solution is the > employment of a tool like pam cracklib to prevent weak > passwords from ever being set, rather than devoting effort > into cracking them later and chasing people to change them. See above. Martin. -- Martin Bly | RAL Tier1 Systems Team T: +44|0 1235 446981 | F: +44|0 1235 446626 >