[nsp-sec] Attn Yahoo -> breakin to one of our servers by user ravenssh at yahoo.com (fwd)

Dave Mitchell davem at yahoo-inc.com
Sun Jul 20 20:50:10 EDT 2008 

We'll get it shut down asap. 

-d

On Sun, Jul 20, 2008 at 08:41:48PM -0400, Joel Rosenblatt wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> This was sent by the sysadmin in our math department to Yahoo security - he 
> is a good guy and is generally very clue full -  Can you please fast track 
> this if possible?
>
> Thank you,
> Joel Rosenblatt
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
>
>
> ------------ Forwarded Message ------------
> Date: Sunday, July 20, 2008 8:27 PM -0400
> From: Peter Woit <woit at cpw.math.columbia.edu>
> To: security at yahoo-inc.com
> Cc: security at columbia.edu
> Subject: breakin to one of our servers by user ravenssh at yahoo.com
>
>
> I'm investigating a breakin to one of the servers for math.columbia.edu that occurred this morning
>
> Jul 20 03:48:56 fdr sshd[10011]: Accepted keyboard-interactive/pam for root from 128.59.23.82 port 55578 ssh2
> Jul 20 03:48:56 fdr sshd[10017]: pam_unix(sshd:session): session opened for user root by root(uid=0)
>
> (all times local New York City time).
>
> Someone somehow managed to login to the server fdr.math.columbia.edu as root via SSH from a machine in the Computer Science department
> (almond.cs.columbia.edu). I have contacted the people at CS and asked them to investigate this.  I do not now know why this was possible, and it is of high
> priority to find this out soon to protect our other servers (fdr.math.columbia.edu has been shut down).
>
> Soon after the breakin, logs show the following e-mail traffic from the compromised root account:
>
> Jul 20 03:55:51 fdr sendmail[10490]: m6K7tqPY010490: from=root, size=23279, class=0, nrcpts=1, msgid=<200807200755.m6K7tqPY010490 at fdr.math.columbia.edu>,
> relay=root at localhost
>
> Jul 20 03:55:51 fdr sendmail[10491]: m6K7tq5q010491: from=<root at fdr.math.columbia.edu>, size=23554, class=0, nrcpts=1,
> msgid=<200807200755.m6K7tqPY010490 at fdr.math.columbia.edu>, proto=ESMTP, daemon=MTA, relay=smmsp at localhost [127.0.0.1]
>
> Jul 20 03:55:51 fdr sendmail[10490]: m6K7tqPY010490: to=<ravenssh at yahoo.com>, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=53279,
> relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (m6K7tq5q010491 Message accepted for delivery)
>
> Jul 20 03:55:51 cpw sendmail[15271]: m6K7tqSr015271: from=<root at math.columbia.edu>, size=23747, class=0, nrcpts=1,
> msgid=<200807200755.m6K7tqPY010490 at fdr.math.columbia.edu>, proto=ESMTP, daemon=MTA, relay=root at fdr.math.columbia.edu [128.59.192.11]
>
> Jul 20 03:55:51 fdr sendmail[10500]: m6K7tq5q010491: to=<ravenssh at yahoo.com>, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=143554,
> relay=cpw.math.columbia.edu. [128.59.192.10], dsn=2.0.0, stat=Sent (m6K7tqSr015271 Message accepted for delivery)
>
> E-mail was being sent from our intruder to "ravenssh at yahoo.com"
>
> I would like to request that you as soon as possible
>
> 1. Shut off access to the "ravenssh" account.  It is being used to breakin to computers via ssh.
>
> 2. Send me copies of the e-mails sent from "root at fdr.math.columbia.edu" to ravenssh at yahoo.com.   These may contain information about which of our accounts have
> been compromised and how.
>
> 3. Investigate all e-mail of ravenssh, and let me know if you learn anything from it about the methods being used in these breakins.
>
> I can be reached at 212-854-2642, will be here a couple more hours this evening, and all day tomorrow.
>
> Best wishes,
>
> Peter Woit
>
>
> ---------- End Forwarded Message ----------
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080720/3c59baad/attachment-0001.sig>

More information about the nsp-security mailing list