♦ Password
♦ Mailsetup
♦ Info
♦ Workstations
  ♣ Linux
  ♣ MacOS
♦ E-Mail
♦ Chat
♦ Files
♦ Backups
♦ Printers
♦ Network
♦ Statistics
♦ Downloads
♦ Links
♦ Newsletter
♦ Submit
♦ Search
♦ Linux

  Computer break-in and new installation
Annoucements Posted by Beat Rubischon on Tuesday April 01, @01:34PM
from the fix-fix-fix dept.
We have observed some irregularities indicating a break-in into our mail server. A sniffer program was running on the mail server, which collected account names with passwords among other things.

The following steps need to be done:

  • we recommend all users change their passwords. This is most important for those who read their e-mail between March 23 and 31 on our server. If you use the same password on other systems it is advisable to change it there too. You can change the password through the Web at:

  • we will reinstall all our servers and workstations for reason of precaution so that we can again trust our system software. We will start with our mail server in the morning of Wednesday, April 2 and continue with the other servers and workstations. We expect to finish the reinstallation by the end of the week. User data (including mail) will not be affected but access might be intermittent.
If there is new information, we will keep you informed on this web site. If you suspect that a third party is abusing your account, we would like to analyze the situation with you. By changing your password your account should be secure again from break-ins.

Unfortunately, this is not an April 1st joke.

Update (April 11, 2003, by Elmar Heeb):

On April 2 we reinstalled all of the approx. 90 Intel/Linux workstations that are maintained by the IT Support Group of the Department of Physics. As far as we could check there was no other workstation affected apart from the one we found on March 31. Also we thoroughly inspected all servers and found no trace of some other break in. For the mail server we have a backup from right before we did the upgrade.

This allowed us to clearly identify the root kit and trace back the events. More information can be found at CERN from where the intruder connected to infiltrate us. Unfortunately, there are no log files available from the time when the sniffer was running (March 25, 15:40 until March 31, 15:00) as the sniffer was hiding itself very well.

<  |  >


  Related Links
  • Articles on Annoucements
  • Also by Beat Rubischon
  • Contact author
  • The Fine Print: The following comments are owned by whoever posted them.
    ( Reply )

    © 2003 ISG, Departement Physik, ETH Zürich, <>