Updated: 8/13/2005; 6:41:29 PM.
Jason J. Thomas' Weblog
I gotta have more cowbell.
        

Baltimore Blogs
A Fool's Fate
AnonymousCoworker
BaLtiMoRe RoLL
Blog Baltimore
Blogtimore, Hon.
Brain Coral
Broadsheet
carlofbaltimore
eebmore
Epiphany in Baltimore
Epistolary
eXtraheavyblog!
Fruit Loops and Porn
Hey Monkey!
Intellectual Defenestration
jennetic
JWERblog
Kmart
liveinlove
lost in place
Malnurtured Snay
Matt Thomas
Massive Redux
Messy Hair Girl
PsychoPhil
Standing Cheese
Supafine!
talkin' loud
technomind
Viddy This
With a Side of Gravy
Zenchick - Musing from the Lotus Position
Other Blogs
Adam Curry's Weblog
Camden Chat
Dvorak Uncensored
evilzenscientist::thoughts
gapingvoid
John Robb's Weblog
Mr. Fantasy
Nick Bradbury
Scripting News
Starbuck's Gossip
The Scobleizer Weblog
Technorati
Yard Work
News and Information
The Baltimore Sun
CNN
ESPN
FARK
National Public Radio
The New York Times
The Register
Wired News
Podcasters and Podcasting
Doppler: Podcast Aggregator
iPodder: Podcast Directory and Aggregators
The Daily Source Code: Adam Curry's Podcast
Engadget: Podcast on Gadgets and Technology
Geek News Central: Geek Podcast
In The Trenches: SysAdmin and I.T. Professionals Podcast
I.T. Conversations: Podcasts on Different I.T. Topics, including the Gillmor Gang
Morning Coffee Notes: Occasional Podcasts from Dave Winer
Radio Userland Tips
Sexy Magick
The Shifted Librarian: Radio 101
Technology and Security
ArsTechnica
Geek News Central
Microsoft
Microsoft Security Bulletins
Novell
SecurityFocus
Slashdot
  

Friday, June 03, 2005

Putting It All Together
Well, after spending the last two days cleaning up compromised machines and doing some forensics, it appears as though we have determined how we were compromised. 

The initial servers--there were two--run some Oracle components to allow connectivity to our Oracle database.  These Oracle components have not been patched, and Oracle released a large batch of patches on 13 April 2005.  Additionally, these servers were open to the Internet.  They did not need to be, so we have now disabled their access. 

It looks like our hacker probably gained access to the boxes via the Oracle vulnerabilities.  Once they were in, they ran some password cracking tools to determine the passwords for local accounts on the machine.  They also determined the services running on the machine.  They discovered Terminal Services was running on the server, and they gained access to it via the now easily guessable password for the Administrator account. 

It was not too far a leap for them to essentially run this same script to compromise hosts on the same subnet.  Fortunately, it was not completely successful on those machines that had the latest version of VirusScan.  Also, not all servers were hosting pirated content. 

The host that connected and installed all of these services resided in Edinburgh, Scotland.  We are still working with the information technology staff at the University of Edinburgh to get the offending host examined. 

As a resultof this incident, all passwords have been changed.  Those servers that do not need outside access have now been blocked to campus-only.  We are also crafting some better policies to govern the patching of the applications that reside on this machine.  In addition to the vulnerability scans that our Security group performs, we will do some proactive monitoring of the servers to alert us to any unexpected open ports.  Finally, this is speeding up the deployment of the campus firewall that has been talked about greatly in the last few months. 

The lesson here is that security is not merely making sure that the operating system is fully patched.  The applications that run on the operating system also need to be patched. 

3:51:20 PM    comment []  trackback []

© Copyright 2005 Jason J. Thomas.
 

 

 
Google

June 2005
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30    
May   Jul
Technorati Profile
« Blog Baltimore »
Blogtimore, Hon!
Email Me!
AIM: jjtaim
MSN: jasonjthomas@hotmail.com
Yahoo! Messenger: jasonjthomasumd
Home
Biography
Test

miniXmlCoffeeMug.gif miniXmlButton.gif UserLand Product News: Radio UserLand
miniXmlCoffeeMug.gif miniXmlButton.gif Yahoo! News: Technology News
miniXmlCoffeeMug.gif miniXmlButton.gif Computerworld News
miniXmlCoffeeMug.gif miniXmlButton.gif InfoWorld: Top News
miniXmlCoffeeMug.gif miniXmlButton.gif NPR Topics: News
miniXmlCoffeeMug.gif miniXmlButton.gif NPR Topics: Nation
miniXmlCoffeeMug.gif miniXmlButton.gif NPR Topics: World
miniXmlCoffeeMug.gif miniXmlButton.gif NPR Topics: Business
miniXmlCoffeeMug.gif miniXmlButton.gif NPR Programs: Morning Edition
miniXmlCoffeeMug.gif miniXmlButton.gif Weather at Baltimore, Inner Harbor, MD - via NOAA's National Weather Service
miniXmlCoffeeMug.gif miniXmlButton.gif NYT > Business
miniXmlCoffeeMug.gif miniXmlButton.gif NYT > Health
miniXmlCoffeeMug.gif miniXmlButton.gif NYT > Home Page
miniXmlCoffeeMug.gif miniXmlButton.gif NYT > Technology
miniXmlCoffeeMug.gif miniXmlButton.gif The Register
miniXmlCoffeeMug.gif miniXmlButton.gif Wired News

Click here to visit the Radio UserLand website.

Subscribe to "Jason J. Thomas' Weblog" in Radio UserLand.
Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.

Recent Posts
Oil Prices = Cliff Hangers?
Birthday Greets
Short Timer's Syndrome Setting In
All Things Homestar Runner
Harbinger of the Bubble Losing Air?
What the diff, yo?
Peter Jennings, 1938-2005
Cleaning Up Another's Mess
Quick Hits
Mazilli Dismissed as O's Manager
My Ever-Expanding To-Do List
Birds in a Tailspin
Del.ici.ous
OPML Editor as a Blogging Tool
Full Text Feeds for Moveable Type
Back from Downy Oshun, Hon