[nsp-sec] Compromised accounts

Joel Rosenblatt joel at columbia.edu
Thu Jul 24 13:50:19 EDT 2008 

Hi,

I got the following note from our CS department:

-----------------------
One of our PhDs account was compromised. The hacker used this account to break into several systems listed below. Could you please notify them about the 
account compromised on their systems. Once the hacker got into the system, he/she may got root on the machine. If they have any questions, please feel free to 
give them my contact information.

The hacking was from an account call kumiko from battleax.cs.columbia.edu (128.59.23.50) and irtcluster02.cs.columbia.edu (128.59.19.154). Our machines were 
not compromised, only one user account was compromised through a weak password.

PS: It's amazing that how many accounts using password the same as the login ID!
------------------------

It is possible that the attacks also came from a machine named almond.cs.columbia.edu

Here are the winners:


Bulk mode; whois.cymru.com [2008-07-24 17:42:09 +0000]
17379   | 201.12.4.35      | Intelig Telecomunica Ltda
6332    | 201.130.101.5    | Telefonos del Noroeste S.A. de C.V.
6332    | 201.130.104.228  | Telefonos del Noroeste S.A. de C.V.
8151    | 201.134.231.218  | Uninet S.A. de C.V.
4230    | 201.39.94.106    | Embratel
4230    | 201.39.94.113    | Embratel
4230    | 201.39.94.115    | Embratel
4230    | 201.65.77.138    | Embratel
4230    | 201.73.160.129   | Embratel
9105    | 81.170.114.65    | TISCALI-UK Tiscali UK
8220    | 82.112.198.178   | COLT COLT Telecommunications
5617    | 83.10.200.156    | TPNET Polish Telecom_s commercial IP network
5617    | 83.24.55.129     | TPNET Polish Telecom_s commercial IP network
3352    | 83.41.241.68     | TELEFONICA-DATA-ESPANA Internet Access Network of TDE
9121    | 85.105.66.73     | TTNET TTnet Autonomous System


and the losers :-)

cliente,cliente,201.12.4.35
new,new,201.130.101.5
raul,raul,201.130.104.228
nuke,nuke,201.134.231.218
adriana,adriana,201.39.94.106
adriana,adriana,201.39.94.113
DUP adriana,adriana123,201.39.94.115
ronald,ronald,201.65.77.138
cliente,cliente,201.73.160.129
guest,guest,81.170.114.65
ospite,ospite,82.112.198.178
joanna,joanna,83.10.200.156
renata,renata,83.24.55.129
mario,mario,83.41.241.68
vpopmail,123456,85.105.66.73


Thanks,
Joel

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

More information about the nsp-security mailing list