Report on incident 2002/11/10 on www.tcpdump.org

Between November 7th and November 10th, there was an intrusion on lox.sandelman.ca, aka cvs.tcpdump.org. It likely occured thru either Apache+SSL (openssl was not patched. I thought I'd just turned SSL off), or via openssh.

The attack resulted in the addition of a public key to several SSH authorized_keys files, including mine.

On November 11th, around 10am a trojan copy of tcpdump 3.7.2 and libpcap 0.6.2 was installed using my account. This was discovered on November 12th by some Linux users in Houston, and slashdotted that night. I received notification from an Australian mirror of the furor by phone on Wednesday November 13th, unfortunately, after I'd just travelled to Atlanta for IETF55.

On the afternoon of November 13th, lox.sandelman.ca was quarantined - the default route was removed, with selective connectivity enabled for specific uses. (It is my mail relay/pop mailbox server, afterall)

On November 15th, proper tcpdump.org files were put online again. The machine remained quarantined until I knew that I'd be home long enough to watch it.

The machine was upgraded to NetBSD 1.6 on December 2nd and 3rd, with some additional patches applied already. The default route was restored on December 3rd at 16:00.

Other machines have been audited and no other situations have been seen. In general, there were too many eggs on that machine - it made it very hard to upgrade in a timely manner. There are plans to distribute the work a little more. These plans are not new - alas.

If there are services (other than list searches, which continue to be broken) which you expect to have returned, then please let me know.



Last updated: $Date: 2002/12/04 00:04:57 $ by MCR