I’m sitting at the computer, busily working away on a couple of projects, and then there’s a drop in throughput to the network… sites won’t load, and now – even one of the local servers won’t respond. Network bandwidth use is up like crazy; and then it drops.
Time to check a couple of logs. I use an Intrusion Detection System of my own design, and it’s caught a problem, and shut down a port on the switch to prevent further damage. I log into the Linux box from the hardwire console, run lastlog, and there it is – one account has been accessed from 22.214.171.124 – uh huh. I don’t think that is from the college, or any local ISP, and a quick check with ARIN says this block belongs to RIPE (uh oh) – and RIPE says it’s from Romania.
Oh dear. We have a hacker.
First things first. This system is disconnected from the outside world (and it was never connected to the inner network); so let’s make a copy for analysis… done. Now let’s look at the image, and see if we can figure out what happened. Hmm… seems the original account holder decided to change his password to “l234” – oh joy. How do I know this? From a logfile, showing all the login attempts, by an automated scanner (from Kiev). The scanner was able to fool the guard-shack software by operating in slow-motion; testing a new combination at a psuedo-random interval of 15-100 seconds apart. It’s been working on this since mid-March… but only on this one account. And – this system is generally hidden from view. How did it know to come here?
Turns out, the account holder advertised he had a new account on a new system and was learning Linux and posted messages about this in several forums… gee, thanks, guy.
Time to clean it up. The IDS is on a separate system, and when it noticed unusual traffic, simply contacted the switch and shut down the offending port, and then sent a few messages about what it did to the usual suspects. By turning down the switchport, the hacker lost connectivity immediately and was unable to execute the usual cleanups. Now I have a history file to peruse, and see what happened.
Three hours pass… and it’s clean. I have a system image preserved for posterity (or at least for the rest of the month), and an improved password policy in place on the system. I thought I had one in place, but a routine update overwrote the file with defaults – I see the update I used was replaced in the repository shortly after I used it; put that one down to bad luck, and add the affected files to the comparator cron job.
Live and learn. Back to electron mining.
…and for the account holder who created the vulnerability? His account and one other (also advertised on WoW forums) have been obliterated. I hope he didn’t use his clever password elsewhere…