Monday, February 16, 2009
Governments aren't the only ones that are Balkanizing the Internet
It must have been, oh, 1993 or 1994. I had just logged into the computer in my office at college (a very sweet SGI Personal Iris 4D/35) when I noticed something rather odd—I was already logged in. Upon further inspection, it appeared I was logged in from Russia.
Oh. How nice.
I don't pick easy passwords (just ask Smirk—he bitches everytime I pick a new
root password that he has to memorize). They really are a random pick of letters, numbers and punctuation with no rhyme or reason.
And yet, here was someone in Russia, logged into my computer.
This was before
ssh was even released, so everybody either used
rsh (which I couldn't stand) or
telnet. And the problem with both was that passwords were passed across the network in plaintext. And that was the problem.
At the time, I was working in the Math Department. On the other side of the building you had the Geology Department. And I should mention that at the time, the second floor was wired for 10Base-2 (all computers on a network segment share a single communications wire—think of a party line for computers).
Unbeknownst to me (or in fact, most of the people in the second floor) someone in the Geology department had decided to install a Unix system, only they didn't quite realize what they were doing because they left the root account without a password! And because the network was 10Base-2, it was real easy for a hacker to install a network sniffer and grab passwords as they were sent across the network.
Not much to guard against that type of attack.
Fast forward ten years, and my account is again hacked. This time it was an inside job—that is, a server I was maintaining for a company had been hacked by someone in said company (not really “hacked” as in he obtained the passwords) and compromised (backdoors and password loggers installed).
And again, not much I could have done to guard against that type of attack, except maybe to not log into personal machines from a work machine.
Fast forward to today. Saw the following on an internal trouble ticket from P:
[New SSH-only server] hacked?
/root/send/send.php? Looks like some type of spamming script.
I check, and sure enough, my account had been compromised. And this on a new server installed, with the absolutely latest version of
ssh (compiled from source!) and only one of three programs running (
syslogd which wasn't listening for a network connection, and
crond, which doesn't listen on the network).
And there it was, sending out spam.
Nuke. Pave. Do not pass Go. Do not collect $200.00.