[scripts-announce] scripts.mit.edu security incident in December

Geoffrey Thomas geofft at mit.edu
Fri Jan 8 02:48:00 EST 2010 

On December 4, an outside attacker gained privileged access to one of the 
scripts.mit.edu web servers. The attacker replaced the 'sshd' SSH server binary 
on cats-whiskers.mit.edu with a modified version, and then logged into that 
server. The attacker set off an automated tripwire that we have in place to 
catch this sort of attack as well as generated remote syslog messages when 
replacing the sshd binary, and a scripts administrator who was online at the 
time was able to immediately block the attacking server's IP address from all 
servers and shut down the compromised server.

The scripts team went through forensics and logs from the server; although 
the on-disk logs were removed, we had access to remote syslog data, and we 
were able to get in contact with the owner of the machine that accessed 
ours. That machine had not been well-maintained, and we believe that this 
is merely the result of a botnet attempting to gain access to as many 
servers as it can rather than a targeted attack on scripts. (That machine 
has now been shut down.) We watched the other servers and their logs 
carefully and did not see signs of an attack, and we reinstalled 
cats-whiskers.mit.edu from scratch before returning it to the server pool.

scripts.mit.edu uses industry-standard best practices for security, including 
taking software updates promptly and requiring privilege separation (suEXEC) 
for all web and other content hosted on our servers, in addition to various 
security, logging, and alert mechanisms of our own. The nature of Linux is that 
there are, periodically, local privilege escalation attacks, some publicly 
known and some not. We try to do all that we can to reduce the likelihood of 
successful attacks, either targeted or untargeted, against scripts.mit.edu 
servers. We regret that an attacker successfully gained access to our server, 
but we do not believe that the attacker was able to access any keys or user 
data before being blocked.

Feel free to contact the scripts team at scripts at mit.edu if you have any 
questions about this security incident or about the scripts.mit.edu service.

-- 
Geoffrey Thomas
scripts.mit.edu project architect
scripts at mit.edu

More information about the scripts-announce mailing list