from the fix-fix-fix dept.
We have observed some irregularities indicating a break-in into our mail server. A sniffer program was running on the mail server, which collected account names with passwords among other things.
The following steps need to be done:
Unfortunately, this is not an April 1st joke.
Update (April 11, 2003, by Elmar Heeb):
On April 2 we reinstalled all of the approx. 90 Intel/Linux workstations that are maintained by the IT Support Group of the Department of Physics. As far as we could check there was no other workstation affected apart from the one we found on March 31. Also we thoroughly inspected all servers and found no trace of some other break in. For the mail server we have a backup from right before we did the upgrade.
This allowed us to clearly identify the root kit and trace back the events. More information
can be found at CERN from where the intruder connected to infiltrate us. Unfortunately, there are no log files available from the time when the sniffer was running (March 25, 15:40 until March 31, 15:00) as the sniffer was hiding itself very well.
< | >