February 24, 2005
My Computer Was Hacked (So Says Network Security)
After studying Tuesday night, I went to use my Linux desktop, only to find Gaim was no longer logged in. Service outages aren't uncommon, so I tried to connect without any success. After playing around for a few minutes, I realized my network was completely shut down. I couldn't even pull an IP from DHCP. Once I found out nobody else was having issues, I became very concerned that my expensive fiber card died. Fortunately, this was not the case.
My first step was to switch the faceplate to which my computer is connected. Immediately, I was back on the network. Strange, I thought, somebody had deactivated my faceplate. I was shocked because I was sure that my system had not been engaging in any questionable activity. Luckily, one of my friends works for Perceptis, so I asked if he could check into matters at work the next day. He informed me that a list of valid usernames/passwords was found on a compromised computer on campus. Immediately, I feared the worst: interception of my main user (with unlimited sudo privs) or Case network password. Fortunately, he was able to tell me the accounts that were hacked. When he did so I laughed. Both users, "distcc" and "icecast" are very underprivileged users on my machine. Both have their shell set to /bin/false and the home directory as /dev/null. It is no wonder I didn't bother setting a challenging password for these users.
Later that evening, I heard that Perceptis called my old room in the morning with regard to the shutdown. Ironically enough, the person who now lives there also has the name Greg, so he thought they were calling for him. I was glad to hear they called. By contacting me, they are definitely doing their job right!
Although everything is OK now, there are some procedures I think need fine tuning. First, my faceplate was deactivated. Why was this step taken instead of putting my computer on the quarantined network? When you go on the quarantined network, at least you are told what the problem is and what needs to be done to remedy the situation. Deactivating my faceplace solved nothing, as I just moved my cables elsewhere. Although not pertinent in my case, if had multiple computers been connected to that faceplate, they would have all been disabled! Not cool. Secondly, the phone call from Perceptis didn't come as soon as I would have liked. However, I forgive them. I am told that there were so many computer "compromised" that they were literally inundated with keeping up. After all, for every computer hostname CNS sent them (after CNS deactivated the faceplate), they had to create a ticket, and that takes time. The fact that this happened after 6 PM complicated matters even further. I know security is a 24h business and they have a right to terminate access if they feel there is a threat, but cutting off a person's network with little or no chance of getting back on that same day. This is a really big inconvenience.
Things have come a long way in terms of customer service since I've been at the university. I applaud all those involved for the patience they exhibit with irate and befudled individuals. My experience this week shows that even though customer service has come a long way, there is still room to grow.
Trackback
You can ping this entry by using http://blog.case.edu/gps10/mt-tb.cgi/505 .