[nsp-sec] Attn Yahoo -> breakin to one of our servers by user ravenssh at yahoo.com (fwd)
Joel Rosenblatt
joel at columbia.edu
Sun Jul 20 20:41:48 EDT 2008
Hi,
This was sent by the sysadmin in our math department to Yahoo security - he is a good guy and is generally very clue full - Can you please fast track this if
possible?
Thank you,
Joel Rosenblatt
Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
------------ Forwarded Message ------------
Date: Sunday, July 20, 2008 8:27 PM -0400
From: Peter Woit <woit at cpw.math.columbia.edu>
To: security at yahoo-inc.com
Cc: security at columbia.edu
Subject: breakin to one of our servers by user ravenssh at yahoo.com
I'm investigating a breakin to one of the servers for math.columbia.edu that occurred this morning
Jul 20 03:48:56 fdr sshd[10011]: Accepted keyboard-interactive/pam for root from 128.59.23.82 port 55578 ssh2
Jul 20 03:48:56 fdr sshd[10017]: pam_unix(sshd:session): session opened for user root by root(uid=0)
(all times local New York City time).
Someone somehow managed to login to the server fdr.math.columbia.edu as root via SSH from a machine in the Computer Science department
(almond.cs.columbia.edu). I have contacted the people at CS and asked them to investigate this. I do not now know why this was possible, and it is of high
priority to find this out soon to protect our other servers (fdr.math.columbia.edu has been shut down).
Soon after the breakin, logs show the following e-mail traffic from the compromised root account:
Jul 20 03:55:51 fdr sendmail[10490]: m6K7tqPY010490: from=root, size=23279, class=0, nrcpts=1, msgid=<200807200755.m6K7tqPY010490 at fdr.math.columbia.edu>,
relay=root at localhost
Jul 20 03:55:51 fdr sendmail[10491]: m6K7tq5q010491: from=<root at fdr.math.columbia.edu>, size=23554, class=0, nrcpts=1,
msgid=<200807200755.m6K7tqPY010490 at fdr.math.columbia.edu>, proto=ESMTP, daemon=MTA, relay=smmsp at localhost [127.0.0.1]
Jul 20 03:55:51 fdr sendmail[10490]: m6K7tqPY010490: to=<ravenssh at yahoo.com>, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=53279,
relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (m6K7tq5q010491 Message accepted for delivery)
Jul 20 03:55:51 cpw sendmail[15271]: m6K7tqSr015271: from=<root at math.columbia.edu>, size=23747, class=0, nrcpts=1,
msgid=<200807200755.m6K7tqPY010490 at fdr.math.columbia.edu>, proto=ESMTP, daemon=MTA, relay=root at fdr.math.columbia.edu [128.59.192.11]
Jul 20 03:55:51 fdr sendmail[10500]: m6K7tq5q010491: to=<ravenssh at yahoo.com>, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=143554,
relay=cpw.math.columbia.edu. [128.59.192.10], dsn=2.0.0, stat=Sent (m6K7tqSr015271 Message accepted for delivery)
E-mail was being sent from our intruder to "ravenssh at yahoo.com"
I would like to request that you as soon as possible
1. Shut off access to the "ravenssh" account. It is being used to breakin to computers via ssh.
2. Send me copies of the e-mails sent from "root at fdr.math.columbia.edu" to ravenssh at yahoo.com. These may contain information about which of our accounts have
been compromised and how.
3. Investigate all e-mail of ravenssh, and let me know if you learn anything from it about the methods being used in these breakins.
I can be reached at 212-854-2642, will be here a couple more hours this evening, and all day tomorrow.
Best wishes,
Peter Woit
---------- End Forwarded Message ----------
Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
More information about the nsp-security
mailing list