[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SSH attack on dolphin and consequences
- To: "Peter Kammel" <kammel@npl.uiuc.edu>, "Anatoliy Krivchitch" <kriv@pnpi.spb.ru>, "Tom Banks" <tbanks@socrates.Berkeley.EDU>, "Robert Carey" <carey@budoe.bu.edu>, "Steve Clayton" <smclayto@uiuc.edu>, "Paul Debevec" <debevec@uiuc.edu>, "Grey Fred Berkeley" <fegray@socrates.Berkeley.EDU>, "David Hertzog" <hertzog@uiuc.edu>, "Hildebrandt Malte" <malte.hildebrandt@psi.ch>, "Brendan Kiburg" <kiburg@npl.uiuc.edu>, "Sara Knaack" <sknaack@uiuc.edu>, "Peter Kravtsov" <pkravt@gmail.com>, "Berhard Lauss" <lauss@socrates.Berkeley.EDU>, "Maev Evgeny" <maev@pnpi.spb.ru>, "Marat Vznuzdaev" <marat@mail.pnpi.spb.ru>, "Mulhauser Francoise" <francoise.mulhauser@psi.ch>, "Petitjean Claude" <Claude.Petitjean@psi.ch>, "G.E. Petrov" <petrovge@mail.pnpi.spb.ru>, "R. Prieels" <prieels@fynu.ucl.ac.be>, "Semenchuk Gennadii" <semench@pnpi.spb.ru>, "Tim Gorringe" <gorringe@pa.uky.edu>, "Vladimir Tishchenko" <tishenko@pa.uky.edu>, "Alexandre Vasilyev" <vassilie@mail.pnpi.spb.ru>, "Alexei Vorobyov" <vorobyov@pnpi.spb.ru>
- Subject: SSH attack on dolphin and consequences
- From: "Winter Peter" <peter.winter@psi.ch>
- Date: Fri, 6 Oct 2006 14:03:08 +0200
- Cc: <dwebber@npl.uiuc.edu>
- References: <Pine.LNX.4.21.0609251759110.21438-100000@three.npl.uiuc.edu>
- Thread-index: Acbg+Cilpgji/kf1Q7+Ot9XpU/RNIQIRJgBY
- Thread-topic: SSH attack on dolphin and consequences
Dear all,
first of all let me ask you to forward this email to anybody who you think should get the information as well. Unfortunately, our computer dolphin.psi.ch has been subject of a SSH attack. The conmputer department of PSI investigated the system and found some manipulations on the ssh daemon (I will not list them here but if you are interested to know about the details I can give you some more information). However, and that's important, we all have to follow the instructions from PSI (if applicable to you):
1. Change all user passwords on dolphin and on all our other internal computers (because they might have been sniffed, too). At the moment that's not possible because we have diconnected the entire MuCap computer pool from the outside world. A decision on what to do with these computers will be taken at the MuCap meeting this weekend.
2. You should change the passwords on all external computers which were contacted by ssh from dolphin!
3. All passwords to any AFS account at PSI that was contacted from dolphin need to be changed!
4. All passwords from any AFS account at PSI that were used to contact dolphin need to be changed!
5. All passwords to any non encrypted connection (i.e. ftp, http, etc) that was done using dolphin or our internal network.
6. We need to switch off external root access via ssh in the fututre (needs configuration of sshd)
I am sorry for these inconveniences but it is important that all of us follow this in order to avoid future atacks again. In case you have special questions, let me know and I will forward it to the security department at PSI.
Best greetings and a great and succesful MuCap unblinding meeting
Peter