Print

Print

I have forwarded the info to [log in to unmask] to create a ticket and ensure the EGI IRTF are aware of it.  David Crooks is the duty today, and he has confirmed he has seen it.

 

Linda

 

From: Testbed Support for GridPP member institutes <[log in to unmask]> On Behalf Of Adrian Coveney - UKRI STFC
Sent: 12 May 2020 16:37
To: [log in to unmask]
Subject: Re: [HPC-SIG] Compromised of accounts across various UK HPC systems

 

How come this isn’t coming via CSIRT? Has it been reported?

 

Adrian

 

From: Testbed Support for GridPP member institutes <[log in to unmask]> On Behalf Of David Britton
Sent: 12 May 2020 14:18
To: [log in to unmask]
Subject: Fwd: [HPC-SIG] Compromised of accounts across various UK HPC systems

 

 

Heads up: Not just HPC systems... see below. D.


-------- Forwarded Message --------

Subject:

[HPC-SIG] Compromised of accounts across various UK HPC systems

Date:

Tue, 12 May 2020 13:15:00 +0000

From:

Kenway, Owain <[log in to unmask]>

Reply-To:

HPC Special Interest Group discussion list <[log in to unmask]>

To:

[log in to unmask]

 

Hi all,

 

There appears to be some fairly co-ordinated attack of HPC centres accross the UK (and we are aware of some systems in Germany).

 

These appear to be compromised by gaining access to (unprotected?) SSH keys on systems already compromised and using them to jump onto others.  We've found three accounts affected at UCL, two UCL ones and one MMM Hub one and are working to identify whether they succeeded in escalating to root (as they have done at some other sites). 

 

It's worth pointing out that not just HPC systems are affected, we found two of the compromised accounts on our central UCL Unix service.

 

A good sign is logs showing logins from two UP addresses in China, specifically:

202.120.32.231

159.226.161.107

 

Please look for evidence of this in your logs.

 

Sorry to be the bearer of bad news,

Owain

 

--

/UCL/ISD/RITS/Head of Research Computing/Owain Kenway

Twitter: @owainkenway   || E-mail: [log in to unmask]
Internal: 59834         || External: 02031089834
6th Floor, 1-19 Torrington Place, WC1E 7HB

 

To unsubscribe from the HPC-SIG list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=HPC-SIG&A=1

 

To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1

 

To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1


To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1