Hi gang,
This one is unrelated to NMR, but important if you have a linux box
(i.e., new brukers will) with all your data on it.
A little web server that we have here was hacked last weekend with a
very pernicious rootkit called 'knark'. The hacker got into the
machine, probably exploiting a vulnerability in one of the ports not
protected by our firewall (great firewall, uh?), then installed this
program, and got root access. The program (actually, a gzipped
'distribution' with makefile and everything) was installed deep in
/dev/, so it would be hard to find find. He also replaced a loadable
kernel module by a trojan that would open the ports/services he
wanted open after reboots. He also installed a variety of trojan
replacements for common system command (ps, ls, ifconfig, netstat,
etc., etc.) that made the hacker's processes hidden to the user, as
well as other programs, such as 'rootme', which gave him root
prvileges with no passwords, and a sniffer, so he could look at
usernames/passwords that were issued from that machine. He/she also
wiped out the /var/log directory to cover his tracks. This was his
mistake, as the web-server died when /var/log/httpd was gone, and
that's how I realized we were being hacked.
In any case, the only solution was to unplug the thing from the wall,
and now we are consulting with our isp provider on the best route to
take to make our server secure. I looked at 'tripwire', but
apparently knark can get around tripwire. I'm certain that we'll have
to re-format the drive and re-install the OS.
Take-home message: If you are running brukers with linux, be VERY
careful about these things. I also read that if the hacker had been a
little less sloppy, we would not have noticed anything abnormal! If
you need to have the linux box on the network (even a private one),
remove ANY unused service, and firewall everything else. Also, if you
are not doing development of programs, disable the C compilers, so
that these things cannot be installed.
Just though I share my frustration with the group...
Cheers,
Guillermo
+==================-------------- --- -- - - - -
Guillermo Moyna, PhD
Assistant Professor of Chemistry
Department of Chemistry & Biochemistry
University of the Sciences in Philadelphia
600 South 43rd Street
Philadelphia, PA 19104-4495
"The only existing things are atoms and empty space.
All else is mere opinion" - Democritus, 370 B.C.
Office: Grifith Hall 360
Phone: (215) 596-8526
Fax: (215) 596-8543
e-mail: g.moyna_at_usip.edu
WWW: http://tonga.usip.edu/gmoyna/index.html
http://www.usip.edu/chemistry/faculty/moyna.asp
- - - - -- --- -----------=================+
Received on Wed Dec 12 2001 - 16:09:22 MST