Friday, January 05, 2007

Hackers from the IRC

This is a story showing how secure the Linux servers actually are. We will take a Linux network at a rather well-known school called Harvard University as an example. ;-)

Today around 5 pm, feynman.harvard.edu seemed kind of sluggish. So I typed "top" and a user named "testuser" was running about 100 copies of the command "ssh-scan" - something that didn't look terribly safe. The commands "last" and "finger" revealed that the user was connected from ipt.aol.com - a place where it is very difficult to identify individual users. Today he was connected for a few minutes just like on Tuesday. The command "ps -aux" showed that it was really "./ssh-scan 100" whatever the argument means.



Figure 1: Linux hacker: anyone can do it

After some time, I had the courage to ask the question where was the file "ssh-scan" actually located. So I typed "locate ssh-scan", after several similar commands that were not helpful, and it gave me two answers, both in the directory of Amer Iqbal. ;-) Let me say in advance that I am deeply convinced that Amer who still has an account on this network can't be the hacker himself although I can't rigorously prove it.




Most of Amer's authentic files were old - between 1998 and 2004 - but there were two directories from September 2006. One of them was called "adv" and the other was called ". ". The latter is a funny name if you look carefully: a dot followed by a space. It looks almost indistinguishable from a dot, the usual symbol for the current directory, and you need a backslash before the space to actually type the name. The DOT-SPACE directory contained various programs such as ssh-scan and superscan, whatever they're exactly good for, while the "adv" directory has an even more interesting material such as ASCII screenshots from the IRC, the Internet Relay Chat.



So after 5 years or so, I started my mIRC to connect to the IRC but didn't find the usernames etc. Just for fun, let me tell you that the people around the hacker who connected from most of the high-energy physics computers have been using the following nicknames in the chatrooms:
  • Adevar2, Adevar3, GOV, Sweetie, bugmafia

and there has been a lot of people from Chile, especially on the #chile channel that appeared quite often. My conclusion is that the Schwinger network used to have a testuser account with a testuser password. This combination is listed in one of the files for guessing the login names and password - a file that is also included in Amer's directory. Amer's password could have been easy to be guessed, too. So someone from ipt.aol.com guessed it correctly and he is still happily using the resources.

I only restarted feynman.harvard.edu to irritate the hacker. Recall that there won't be anyone in the town who knows the root password at least until the end of the week.

At this level of priviliges, every connectable computer in the schwinger.harvard.edu cluster is usable by these friends of Harvard. If it's just the testuser and iqbal account, it probably can't do much harm. However, there are probably many other groups of gangsters, criminals, and insufficiently spanked children who may be fighting for the dominance on the schwinger.harvard.edu network. I was told by a (nearly safe) physics.harvard.edu administrator that some of our computers were used for attacks elsewhere as recently as in the last week.

Although the full content of the reports is unknown to me, it seems that there have been roughly 5 different types of security breaches on the schwinger.harvard.edu network. The message for the hackers is clear: if you want to have some fun, choose a vulnerable place such as Harvard University and a vulnerable operating system such as Linux. But be careful: your humble correspondent may know much more about you than you think - and more than what I wrote above - and you can ultimately be caught and destroyed.

And that's the memo.

No comments:

Post a Comment