[ale] Got hacked a week or so ago

[Dow Hurst]

Jim,
Thanks for the lead!  It is interesting trying to find what was actually
done.  I initially found the blatant stuff pretty quick but the subtle
stuff is fascinating.  I have stopped a DDoS in progress on the
blatantly hacked machine.  However, I may have found one server trying
to project an Xclient onto another machines Xserver to capture data. 
This is after discovering that the tcp_wrappers daemon had been replaced
with a vulnerable telnetd and the dgld daemon had been replaced as
well.  Under IRIX the dgld handles all the across network OpenGL data
for the Xserver.  I'll probably end up just having to rebuild everything
myself since the budget is very tight.  University network setups are so
open and vulnerable that I really want to just remove all our machines
off the Internet and maybe use the Debian firewall as a choke point for
an internal intranet.  We have few users that want easy access with
mainly ftp and ssh with the occasional X connection.  This cracker
situation might actually be a boon down the road since one firewall
machine to maintain would be alot easier than 20-25 workstations.  We
could even go as far a modem only access for what we do.
Dow

Jim Popovitch wrote:
> 
> The head nerd at Blue Mountain Software (Marietta) is an
> IRIX-guru (and quite a responsible/respectable guy).
> You might want to try contacting Greg ???? (greg at bluemtn.com).
> 
> -Jim P.
> 
> --- Dow Hurst <dhurst at kennesaw.edu> wrote:
> > Was lax on applying a patch to the telnetd daemon under IRIX.  Got
> > royally hacked a couple of weeks ago.  Am dealing with it as best I
> > can
> > but would be interested if anyone has suggestions for a third party
> > security specialist that knows IRIX.  I have too much research work
> > and
> > not enough time for sysadmin to address the situation properly.  The
> > university security officer wanted be to find out what I could about
> > knowlegable IRIX security consultants.  Really need someone who is
> > reputable and not fly by night.  Well, that phrase reminds me of a
> > fly
> > by day person with lots of Unix experience!
> >
> > Bob Toxen,
> > Do you know IRIX?
> >
> > I've got the name and number of the main SGI Security contact for
> > outside work.  His name is Bill Manooch.  We will call him, I know.
> >
> > Thanks,
> > Dow
> >
> > --
> > __________________________________________________________
> > Dow Hurst                   Office: 770-499-3428
> > Systems Support Specialist  Fax:    770-423-6744
> > 1000 Chastain Rd.
> > Chemistry Department SC428  Email:dhurst at kennesaw.edu
> > Kennesaw State University         Dow.Hurst at mindspring.com
> > Kennesaw, GA 30144
> > *********************************
> > *Computational Chemistry is fun!*
> > *********************************
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in
> > message body.
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Shopping - Thousands of Stores. Millions of Products.
> http://shopping.yahoo.com/
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

-- 
__________________________________________________________
Dow Hurst                   Office: 770-499-3428
Systems Support Specialist  Fax:    770-423-6744
1000 Chastain Rd.
Chemistry Department SC428  Email:dhurst at kennesaw.edu
Kennesaw State University         Dow.Hurst at mindspring.com
Kennesaw, GA 30144
*********************************
*Computational Chemistry is fun!*
*********************************
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.