Tycho -- the central 3.5m operations computer -- was broken into on Wednesday afternoon. They logged on using a regular APO account and became root, then installed a sniffer program which ran until Friday afternoon. The username and password were almost certainly picked up offsite. As far as I can tell, only "3.5m" computers were exposed, and only tycho was actively hacked. I have changed essentially all 3.5m-related passwords and disabled most accounts. I also disabled nearly all services on all APO computers (3.5m and SDSS). In particular, telnet, ftp (except on sdsshost and galileo), and the rsh/rlogin services have been shut down, as has email to all but galileo (a.k.a. apo.nmsu.edu) and sdss-commish. I'll be turning on what services *need* to be turned on, and working on better monitoring and more tightly focused access control. In the meanwhile, please look into using the SSH programs to connect to APO. I'd be glad to explain this and help you, but will suggest that your institution's own computing support might be more efficient and informative just now. For the 3.5m folks, Remark connections are safe and Remark is working fine, except for the ftp function. If you need an account re-activated, please contact me at work. APO is still under active "attack", and I might disconnect the Internet line or shutdown computers again. - craig APO APO APO APO APO Apache Point Observatory 3.5m APO APO APO APO APO This is message 313 in the apo35-general archive. You can find APO the archive on http://www.astro.princeton.edu/APO/apo35-general/INDEX.html APO To join/leave the list, send mail to apo35-request@astro.princeton.edu APO To post a message, mail it to apo35-general@astro.princeton.edu APO APO APO APO APO APO APO APO APO APO APO APO APO APO APO APO APO