![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Doh
Got into work today just as co-worker got a call from a research group we have, saying they think one of their machines (running Solaris 7) had been cracked. He checked it out, and sure enough, it was cracked. So he checked another one.. and another one.. at 7 machines, he said "uh oh". So I had a look at some more suns we had.. 3 of 6 were cracked too. This is when I thought.. doh
So I talked to UWA's friendly network admin and got traffic logs from those machines for yesterday (we caught the hack in about 12 hours.. pretty well done). Had a look thru, and tada.. they had all grabbed patches from sunsolve8.sun.com ... Talked to the network admin again, and got packet logs for all our machines which had accessed sunsolve8.sun.com .. and found a total of 16 machines on our network which had been hacked. Then, being the public spirited person I am, I got a sysadmin in another department to check his suns.. and some of them were hacked too.. then, I got the network admin guy to mail the technical contacts for everyone which had a machine access sunsolve8.sun.com.
Evidentally he told people to contact me for more information.. so I was getting calls and emails from people all over campus looking for more information. Kinda exciting really ;) From the calls I got.. looks like about 60 machines on campus hacked. Umm.. oops. That'll be fun. They exploited a bug found in Solaris and announced last week. Blah. It was good being the central contact, cause I was able to get more information from another department that had several machines hacked. They use a transparent proxy, and were able to find a copy of the hacking tools installed on each system. so I got a copy of that, and am now pretty sure I know what they did. Solaris crackers are weird.. in all the sun hacks I have seen, the first thing they do is download all the operating system patches from sun.com and apply them. Must be doing it to show they don't have malicious intent. No malicious intent my ass. Anything which takes 20hours of my time to fix is not non malicious.
So tomorrow, I have to reinstall.. or possibly "clean" the 4 suns in our department that got hacked :P The boss really favours a clean install.. but sheesh.. that's like a day per machine. I have a lot better stuff to do with my time. I think I can clean them pretty well.
Sigh. I wanna be doing PHP. Then I have to write a printer spooler. And take half a day off to buy plane tickets :D
So I talked to UWA's friendly network admin and got traffic logs from those machines for yesterday (we caught the hack in about 12 hours.. pretty well done). Had a look thru, and tada.. they had all grabbed patches from sunsolve8.sun.com ... Talked to the network admin again, and got packet logs for all our machines which had accessed sunsolve8.sun.com .. and found a total of 16 machines on our network which had been hacked. Then, being the public spirited person I am, I got a sysadmin in another department to check his suns.. and some of them were hacked too.. then, I got the network admin guy to mail the technical contacts for everyone which had a machine access sunsolve8.sun.com.
Evidentally he told people to contact me for more information.. so I was getting calls and emails from people all over campus looking for more information. Kinda exciting really ;) From the calls I got.. looks like about 60 machines on campus hacked. Umm.. oops. That'll be fun. They exploited a bug found in Solaris and announced last week. Blah. It was good being the central contact, cause I was able to get more information from another department that had several machines hacked. They use a transparent proxy, and were able to find a copy of the hacking tools installed on each system. so I got a copy of that, and am now pretty sure I know what they did. Solaris crackers are weird.. in all the sun hacks I have seen, the first thing they do is download all the operating system patches from sun.com and apply them. Must be doing it to show they don't have malicious intent. No malicious intent my ass. Anything which takes 20hours of my time to fix is not non malicious.
So tomorrow, I have to reinstall.. or possibly "clean" the 4 suns in our department that got hacked :P The boss really favours a clean install.. but sheesh.. that's like a day per machine. I have a lot better stuff to do with my time. I think I can clean them pretty well.
Sigh. I wanna be doing PHP. Then I have to write a printer spooler. And take half a day off to buy plane tickets :D