Subject: APO computer security problems.

From: Craig Loomis

Submitted: Mon, 5 Oct 1998 00:31:18 -0600

Message number: 313 (previous: 312, next: 314 up: Index)

   Tycho -- the central 3.5m operations computer -- was broken into on
Wednesday afternoon. They logged on using a regular APO account and became
root, then installed a sniffer program which ran until Friday afternoon.
The username and password were almost certainly picked up offsite. As far
as I can tell, only "3.5m" computers were exposed, and only tycho was
actively hacked.
  I have changed essentially all 3.5m-related passwords and disabled most
accounts. I also disabled nearly all services on all APO computers (3.5m
and SDSS). In particular, telnet, ftp (except on sdsshost and galileo), and
the rsh/rlogin services have been shut down, as has email to all but
galileo (a.k.a. apo.nmsu.edu) and sdss-commish.
  I'll be turning on what services *need* to be turned on, and working on
better monitoring and more tightly focused access control. In the
meanwhile, please look into using the SSH programs to connect to APO.  I'd
be glad to explain this and help you, but will suggest that your
institution's own computing support  might be more efficient and
informative just now. For the 3.5m folks, Remark connections are safe and
Remark is working fine, except for the ftp function.
   If you need an account re-activated, please contact me at work.
   APO is still under active "attack", and I might disconnect the Internet
line or shutdown computers again.

 - craig

APO APO APO APO APO  Apache Point Observatory 3.5m  APO APO APO
APO
APO  This is message 313 in the apo35-general archive. You can find
APO  the archive on http://www.astro.princeton.edu/APO/apo35-general/INDEX.html
APO  To join/leave the list, send mail to apo35-request@astro.princeton.edu
APO  To post a message, mail it to apo35-general@astro.princeton.edu
APO
APO APO APO APO APO APO APO APO APO APO APO APO APO APO APO APO