CIS Home > Security > Unix Break-Ins at WHOI

Unix Break-Ins at WHOI

On the morning of February 23, four Unix computers were broken into by an attacker using a compromised account at MIT's AI Lab.

The attacker had gained access at MIT to an account belonging to a researcher who had done work for a WHOI scientist. They were then able to log into the researcher's account on a WHOI computer that had Secure Shell logins exposed through the firewall. From there, the attacker was able to break into three other systems, and attempted (but failed) to break into at least two others.

The compromised hosts at WHOI were:

charybdis.whoi.edu -- running SGI IRIX
ceto.whoi.edu -- running SGI IRIX
coccyx.whoi.edu -- running Sun Solaris 8
garlock.whoi.edu -- running Sun Solaris 8

We learned of this break-in from investigators at the National Center for Supercomputing Applications (NCSA) at the University of Illinois. They had noticed the system "garlock.whoi.edu" transmitting copies of user passwords to a compromised system at another research institution.

How They Did It

Most computer break-ins rely on port-scanning or viruses, methods which are conspicuous and easily detected within WHOI. This break-in was, by comparison, extremely subtle. Rather than attacking vulnerable network services, the attacker targeted users' passwords. Without outside cooperation we would likely not have noticed this attack nearly so quickly.

According to NCSA, this attacker (or others working in the same style) has broken into computers at a number of research institutions in the United States and Europe. The methodology is similar:

  • Gaining access to a user account, by guessing or intercepting the account password,
  • Logging in to other hosts where the user has access,
  • Attempting to gain "root" (superuser) access using local security vulnerabilities,
  • Installing a backdoored copy of the Secure Shell client (ssh) that copies users' passwords and sends them to the attacker.

Investigation of this incident is ongoing at MIT, WHOI, and NCSA.

What You Can Do

This particular attack targeted Unix systems -- SGI and Solaris; and the attacker attempted to break into at least one HP/UX system. According to NCSA, other sites also had Linux systems compromised by the same attacker.

So if you run Unix or Linux systems at WHOI, here are some precautions you can take to deter this type of attack:

  • Disable unneeded user accounts. While it seems "polite" to leave accounts open for people who don't need them any more, it's also a security risk. Disable them, and re-enable them if they're needed later. As a rule, if an account will be disused for three months or longer, disable it.
  • Use strong passwords, and change them regularly. Strong passwords make it harder for an attacker to guess the password and gain access. Changing passwords regularly ensures that if someone has illegitimate access to a password, they will lose it. If you have a weak root or user password, change it today.
  • Do not use "default" passwords, or the same password on lots of systems. These just make it easier for an attacker to gain control of more computers. If you have a computer with a "default" password still set, change it today.
  • Disallow creation of executables in the "/tmp" directory. Many attack scripts rely on compiling a program in "/tmp" and running it. If "/tmp" is its own partition and is mounted with the "noexec" flag, they will be stopped.
  • Use integrity checking software such as "integrit", "bsign", or "tripwire" to detect modified executables on your system.
  • Check your logs! Look for unexpected login attempts, or accesses from WHOI systems that shouldn't be connecting to yours. Particularly check for accesses from systems known to be compromised, like the four listed above.