* * * * *

      Governments aren't the only ones that are Balkanizing the Internet

It must have been, oh, 1993 or 1994. I had just logged into the computer in
my office at college [1] (a very sweet SGI Personal Iris 4D/35 [2]) when I
noticed something rather odd—I was already logged in. Upon further
inspection, it appeared I was logged in from Russia.

Oh. How nice.

I don't pick easy passwords (just ask Smirk—he bitches everytime I pick a new
root password that he has to memorize). They really are a random pick of
letters, numbers and punctuation with no rhyme or reason.

And yet, here was someone in Russia, logged into my computer.

This was before ssh was even released, so everybody either used rsh (which I
couldn't stand) or telnet. And the problem with both was that passwords were
passed across the network in plaintext. And that was the problem.

At the time, I was working in the Math Department [3]. On the other side of
the building you had the Geology Department [4]. And I should mention that at
the time, the second floor was wired for 10Base-2 [5] (all computers on a
network segment share a single communications wire—think of a party line for
computers).

Unbeknownst to me (or in fact, most of the people in the second floor)
someone in the Geology department had decided to install a Unix system, only
they didn't quite realize what they were doing because they left the root
account without a password! And because the network was 10Base-2, it was real
easy for a hacker to install a network sniffer and grab passwords as they
were sent across the network.

Not much to guard against that type of attack.

Fast forward ten years, and my account is again hacked. This time it was an
inside job [6]—that is, a server I was maintaining for a company had been
hacked by someone in said company (not really “hacked” as in he obtained the
passwords) and compromised (backdoors and password loggers installed).

And again, not much I could have done to guard against that type of attack,
except maybe to not log into personal machines from a work machine.

Fast forward to today. Saw the following on an internal trouble ticket from
P:

> [New SSH-only server] hacked?
>
> What is /root/send/send.php? Looks like some type of spamming script.
>

I check, and sure enough, my account had been compromised. And this on a new
server installed, with the absolutely latest version of ssh [7] (compiled
from source!) and only one of three programs running (syslogd which wasn't
listening for a network connection, and crond, which doesn't listen on the
network).

And there it was, sending out spam.

Nuke. Pave. Do not pass Go. Do not collect $200.00.

Sigh.

[1] gopher://gopher.conman.org/0Phlog:2002/03/04.2
[2] http://hardware.majix.org/computers/sgi.pi/4d35.shtml
[3] http://www.math.fau.edu/
[4] http://www.geology.fau.edu/
[5] http://en.wikipedia.org/wiki/10BASE2
[6] gopher://gopher.conman.org/0Phlog:2004/09/19.1
[7] http://www.openssh.org/

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.