I have forwarded the info to [log in to unmask]<mailto:[log in to unmask]> to create a ticket and ensure the EGI IRTF are aware of it. David Crooks is the duty today, and he has confirmed he has seen it. Linda From: Testbed Support for GridPP member institutes <[log in to unmask]> On Behalf Of Adrian Coveney - UKRI STFC Sent: 12 May 2020 16:37 To: [log in to unmask] Subject: Re: [HPC-SIG] Compromised of accounts across various UK HPC systems How come this isn't coming via CSIRT? Has it been reported? Adrian From: Testbed Support for GridPP member institutes <[log in to unmask]<mailto:[log in to unmask]>> On Behalf Of David Britton Sent: 12 May 2020 14:18 To: [log in to unmask]<mailto:[log in to unmask]> Subject: Fwd: [HPC-SIG] Compromised of accounts across various UK HPC systems Heads up: Not just HPC systems... see below. D. -------- Forwarded Message -------- Subject: [HPC-SIG] Compromised of accounts across various UK HPC systems Date: Tue, 12 May 2020 13:15:00 +0000 From: Kenway, Owain <[log in to unmask]><mailto:[log in to unmask]> Reply-To: HPC Special Interest Group discussion list <[log in to unmask]><mailto:[log in to unmask]> To: [log in to unmask]<mailto:[log in to unmask]> Hi all, There appears to be some fairly co-ordinated attack of HPC centres accross the UK (and we are aware of some systems in Germany). These appear to be compromised by gaining access to (unprotected?) SSH keys on systems already compromised and using them to jump onto others. We've found three accounts affected at UCL, two UCL ones and one MMM Hub one and are working to identify whether they succeeded in escalating to root (as they have done at some other sites). It's worth pointing out that not just HPC systems are affected, we found two of the compromised accounts on our central UCL Unix service. A good sign is logs showing logins from two UP addresses in China, specifically: 202.120.32.231 159.226.161.107 Please look for evidence of this in your logs. Sorry to be the bearer of bad news, Owain -- /UCL/ISD/RITS/Head of Research Computing/Owain Kenway Twitter: @owainkenway || E-mail: [log in to unmask]<mailto:[log in to unmask]> Internal: 59834 || External: 02031089834 6th Floor, 1-19 Torrington Place, WC1E 7HB ________________________________ To unsubscribe from the HPC-SIG list, click the following link: https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=HPC-SIG&A=1 ________________________________ To unsubscribe from the TB-SUPPORT list, click the following link: https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1 ________________________________ To unsubscribe from the TB-SUPPORT list, click the following link: https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1 ######################################################################## To unsubscribe from the TB-SUPPORT list, click the following link: https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1