You are on page 1of 5

UPENET

ICT Security

Anatomy of An Intrusion

Miguel Sánchez-López

2006, Miguel Sánchez-López, under "Creative Commons Attribution-NonCommercial-NoDerivs 2.5" License,


<http://creativecommons.org/licenses/by-nc-sa/2.5/>

This paper was first published, in Spanish, by Novática (issue no. 178, Nov.-Dec. 2005, pp. 69–73). Novática, <http://www.ati.es/
UPENET, is a bimonthly journal published, in Spanish, by the Spanish CEPIS society ATI (Asociación
novatica>, a founding member of UP
de Técnicos de Informática – Association of Computer Professionals). This paper was a finalist of the I Novática Award for the best article
published in 2005.

This article describes vividly what happened when the author detected his computer at a university network had been
broken into. From detection to tracking the intruders down there was a long and winding path that included reporting the
incident to the authorities and, later, the prosecution of those responsible.

Keywords: Computer Networks, sand computers still remain. Each versity staff uses. Some departments
Intrusion, Secure Communications, building connects to the backbone us- may have their own system admins too.
Security Policies, Vulnerabilities. ing either Fast Ethernet or Gigabit My department, as a Computer
Ethernet, though for some time FDDI Engineering unit, does most of the ad-
1 The Environment of The In- rings and ATM links were also used. ministration of departmental servers
cident Our campus network is connected to and personal computers. Services like
The Computer Engineering Depart- three other nodes of the national re- print servers, email server, departmen-
ment (DISCA) of the Polytechnic Uni- search network infrastructure (Red tal database and web servers are man-
versity of Valencia, Spain, is one of the IRIS) by means of 2.5Gbps links. A aged by our own technicians. Most fac-
largest of that university with around fourth node is connected at 622 Mbps. ulty members manage their own per-
one hundred faculty members. RedIRIS network provides Internet sonal computer but help is available
Our campus network is one of the access to universities and other re- should any of them request it. Each
most populated campus networks in search institutions. faculty member is also responsible for
Spain, with more than 24,000 personal Each computer set-up and admin- keeping the required software licenses
computers, using mostly one flavour istration depends on location and own- for the software they use, save for
or another of Microsoft Windows. ership. Common services like univer- Microsoft products for which there is
Fewer people use any of a number sity web servers and databases are run a special campus-wide agreement. Lec-
GNU/Linux distributions (Debian/ by the Computer Centre (ASIC) and turers are free to use whatever software
Ubuntu, SuSE, Fedora, Mandrake are so are most of the computers the uni- they like.
the most popular). The Computer Cen-
tre runs a variety of Unix and Windows
Author
servers (HP, Sun and others). We also
have some Apple fans running either Miguel Sánchez-López holds a PhD in Computer Science from the Universitat
OS9 or OSX on their white comput- Politècnica de Valencia (UPV), Spain, where he got his BSc and Master degrees too.
ers. He joined the Faculty of the Computer Engineering department in 1988 and he has
Campus network infrastructure has been teaching different topics dealing with Computer Networks ever since. He was a
been evolving since the early days visiting researcher at the Wireless Network Lab at the School of Electrical Engineering
when we had just a single Ethernet seg- at Cornell University, USA, in 1999 as well as at the International Computer Science
ment. From an almost flat network Institute at Berkeley, USA, from 2000 to 2001. He consults for some companies and
has written six books. His research focuses around ad-hoc networking and sensor
there is a massive use of subnetting,
networks for energy conscious applications. <misan@upvnet.upv.es>
but some segments with several thou-

66 UPGRADE Vol. VII, No. 4, August 2006 © CEPIS


UPENET

2 The Circle of Trust may be time to take some immediate from one system to another, always
My computing environment at the corrective action. using my user credentials. To make
university has been changing over the That was the case on April 30, 2004 things worse they had been quite tidy
years; from the early days when I when after returning from my Easter about removing any clues of what they
started using DOS 3.0, to a clean sweep holidays I discovered some connec- had done on each system.
of Windows 3.1, 3.11, 95, 98, and tions on my ssh logs dated April 5 that
eventually Windows 2000. Then, after I had not made. I knew something fishy 5 More Victims on Board
a research stay at Cornell University was going on because of the IP address So, as I was putting all the logs to-
where I started using Solaris, I came the connections were coming from: it gether and making a time diagram of
back to using RedHat and then SuSE was from (rootshell.be), <http://www. all the accesses (which was not easy
Linux (as the latter was being installed rootshell.be>, and I had never heard of as one server had its clock out by an
in several of our labs). that before. After checking on their unknown amount of time) I realized the
At the end of the last century my web site I learned that Rootshell.be was first access to any of my accounts came
department bought a new email server a company offering free shells over the from our departmental email server.
equipped with some email server soft- Internet. Whoever was using that This was a surprising discovery as
ware by SuSE to power our email re- server to access my office computer it signalled the beginning of the intru-
quirements, offering users the possibil- was doing so to hide their real iden- sion on my personal computer. Once
ity of using encrypted Secure Socket tity. again I had to ask system admin to pull
Layer connections to the server, so our my user account data from the logs and
mail traffic and user credentials would 4 Panic Attack this revealed even worse news: there
not be easy to eavesdrop. Meanwhile, OK, so somebody did it: my com- were some users that admin was not
the university email servers that only puter had been wide open for some previously aware of. When you factor
allow regular (plain text) connections time but logs showed that somehow in the fact that you need to have admin
that were easy to eavesdrop, were con- the intruder knew my password. The privileges to create new user accounts
sidered at the time to be a security prob- easy part was to change the password it was clear that intruders had obtained
lem that could lead to unauthorised to prevent future intruder accesses, but root access to the university email
access to our mail messages. at the same time I started wondering server.
That server worked flawlessly for how intruders had obtained my pass- The server was immediately dis-
several years, with minor hiccups word and who they were. connected from the network and sev-
whenever a user’s disk quota was ex- I needed to check if the intruder had eral people started to dig for more de-
ceeded. In fact, it worked so well that installed any type of rootkit on my sys- tails. It turned out that intruders had
software updates were almost forgot- tem and whether they had gained ac- installed software to sniff the network
ten and because nobody experienced cess to any of my other accounts on and they had been collecting data to
any problem we were not aware that other systems. Also, my problem might huge files hidden in the file system.
we were at risk. be symptomatic of a bigger problem, Some of the accesses of those previ-
I am not a security expert, but as a so I had to inform my colleagues of ously unknown users were coming
Computer Networks lecturer I was the situation so they could also check from another local cable-ISP called
aware of some of the risks involved their computers and servers. ONO.
when you use a LAN. I always use a When I checked my home compu- It was now clear that intruders had
SSH (Secure Shell) application to con- ter and several of the accounts on cam- broken into the university mail server
nect to the various computer systems I pus servers I realized several illegal and then, by sniffing on that system,
use either at home or on campus. I use connections had been made from they had been able to obtain user pass-
this same application for file transfers <http://www.rootshell.be> as well as words. So it was no longer just my
too. Over the years I have been using from another unknown IP address. problem.
the same password for a set of systems Unfortunately, this second IP ad-
I considered ‘safe’ So my office com- dress was not leaking any details about 6 Let The Quest Begin
puter and other accounts I had on sev- its owner, as it happened to belong to So now we know that the intruders
eral (but not all) campus computers had the address pool of the Spanish ISP gained access to our department’s
the same user credentials. Whenever I "Telefónica Transmisión de Datos" So email server first. And once they had
thought a given system was not reli- it was a computer of one of their cli- access they used a local exploit to es-
able I used a different password. ents, but they had more than one hun- calate privileges. Unfortunately, the
dred thousand! poor maintenance of the system made
3 Regular Checks I did not have admin privileges on this process quite easy.
As even the best security may fail some of the affected servers, so I Intruders did try some exploits on
sometimes, it is always advisable to needed to ask for the logs from those all the other systems they access to my
perform a check on your system’s logs. systems’ admins. When I got the in- account but they failed; in several cases
Hopefully nothing will show up, but if formation back I realized that the in- the exploits code did not even match
you catch any unexpected pattern it truders had been very busy, jumping the version of the running kernel.

© CEPIS UPGRADE Vol. VII, No. 4, August 2006 67


UPENET

As soon as I learned about the ing spied on, all department members tration process requires users to con-
break-in (none too quickly I might say, were informed and passwords were firm the email account by clicking on
as we had two weeks of Easter holi- changed. a special link mailed to their email ac-
days) I contacted abuse@rootshell.be However, there was an election count. So even though I do not know
telling them about the problem that was going on at the university at that mo- who the intruder is, it seems I can email
indeed contrary to their own accept- ment and this incident did not seem to her (please note I am deliberately
able use policy. Throughout the proc- be a priority. Even though unauthor- avoiding the use of the term hacker).
ess, help from their sysadmin was cru- ized access to electronic email is a Clues point to her being one of our
cial for discovering who was respon- crime in Spain our lawyers decided not thirty thousand students. Looking for
sible. to report the incident to the police. mail_Eve@hotmail.com provides no
When I sent the first abuse report entries. But, once again, Altavista leads
to rootshell.be I informed them about 8 The MUST us to a forum on www.hackhispano. com
my IP address and the date and time of As I mentioned before, the intrud- where there is a user with the same alias
the illegal ssh connections. On the ba- ers used an IP address belonging to an mail_Eve who has 34 postings about her
sis of this information, Rootshell’s ADSL line of a Spanish ISP. The ad- activities of the last two years.
sysadmin learned what user account dress returned no hits on a Google I can believe it: that person has been
the intruders were using and the ac- search but two hits were found on creating chaos on several computer
count was closed immediately. We Altavista, leading to two postings on rooms first in high school and now at
were also provided with some of the two forums. From that I got a not very the university. And, interestingly
information that the intruders provided common name, and hey, I even have a enough, the last two questions seem to
when opening the account "userEve1 ", student with that same unusual name, be related to our case and within the
such as the Hotmail account mail_ but after a number of telephone calls I right timeframe: brute forcing ssh and
Eve@hotmail.com and, more impor- was talking to the owner of the name where the ssh logs are stored in GNU/
tantly, the IP addresses they established (who was not my student) and I asked Linux systems. Maybe she is starting
the last connections from. Unfortu- him what type of network access he to think she might be leaking some info
nately these addresses belong to open had at home but, unfortunately, it is not and she wants to learn how to cover
machines that are ... on campus! These from that ISP. But wait ... there is an- her tracks.
computers can be accessed by any stu- other voice in the background. The stu- When checking this user personal
dent and although users have to pro- dent tells me he is with the network information on the forum we learn that
vide a valid user account, the intrud- admin of his school, so I ask him to she has 'obscured' her email by remov-
ers were using a stolen account and not put me through and then, bingo! the IP ing the last character so it appears as
their own. address belongs to that school. The mail_Eve@hotmail.co (instead of
What is now clear is that the intrud- Mediterranean University of Science .com) and, voilà, there is an ICQ
ers are on campus, so they are likely to and Technology (or MUST) which is number too.
be students, maybe even one of my stu- situated on the same campus as us and Now we go to ICQ website to pull
dents. As my department gives lectures quite close to the location of the other that user’s personal info, where she
for several courses it is not easy to nar- open systems we tracked down. It appears as "Eve Simp", 19 years old
row down the list of possible candi- seems that the pieces of our puzzle are (which fits our profile), living in a zip
dates. starting to fit together. code of a small town near Valencia. So
I ask the person on the phone for a she is a freshman with a penchant for
7 Paperwork meeting with him and his boss and off breaking into computer systems and
From the very beginning I told the I go to meet them. I bring along a list causing chaos while staying under
Computer Centre people about the in- of my logs with times and dates of the cover.
cident in an attempt to get them in- offending accesses. I find them very A few telephone calls to people in
volved as they have more tools and helpful but powerless as they cannot the area with the same last name re-
reach than I do Unfortunately, they give me a list of names because they turns no further information. To get this
have had other cases in the past and keep no record of lab attendance. Also, moving, something else needs to be
they know it is difficult and time con- they have around forty computers con- done. For security reasons we discon-
suming to catch these people. nected to the same ADSL line and they nect our corporate email server over
I also reported the incident to my have no traffic record so they cannot the weekend, so the intruders have
department head. As soon as we help me now (but we will be able to no way of accessing any of the ac-
learned that the email server was be- remedy this in the future). counts they had before, not even the
Rootshell’s one.
9 Looking for Eve So I send an email to Eve’s hotmail
1
When opening the account at account telling her the game is up,
Information about the intruder is not pro-
vided to protect their identities. Unlike rootshell.be the intruder (or intruders) warning her that the incident has been
them, I do think other people’s rights provided an email account that they reported, and asking her to meet us next
should be respected. had to have access to, since the regis- Monday at our office.

68 UPGRADE Vol. VII, No. 4, August 2006 © CEPIS


UPENET

Ten minutes later I get an answer On Sunday there is a connection Eve’s last name is not Simp but
from somebody who has no objection attempt (through Rootshell) to the Simpson and she is a he. His address,
to me calling her Eve and asks me if email server (which is switched off) phone number and zip code does ap-
this is some kind of joke. I note down from an IP belonging to the cable ISP pear in this assignment, and of course
the IP address the message was an- ONO. the zip code matches the one we al-
swered from and I am able to trace it The same IP has been appearing ready knew.
back to an ADSL operator of another consistently in several of our logs. The I talk to the professor responsible
area of Spain (La Rioja). It seems than other accesses to Trudy’s Rootshell for that subject and he explains to me
even now Eve is taking care not to re- account are made from the MUST net- that Eve is not one of his students but
veal her real location. work. It seems that Trudy’s home IP the brother of one of his students. How-
I reply to her right away informing may well be this one. It is time to start ever, it seems that Eve was so proud of
her that I am not joking and telling her monitoring the MUST network. his programming skills that he turned
to talk to Rootshell’s sysadmin if she his assignment in to be published in
is in any doubt. Nobody shows up on 11 Fishing in The MUST December 2003. However, the pro-
Monday, which is a pity because we While the head of the MUST fac- gram was not posted on the subject’s
still do not know who that person is. I ulty is willing to help in the case, they website till May 2004.
send a message to the ADSL line ISP have no monitoring equipment in Eve is a first-year Telecom student,
asking them to keep the log of that IP place, so around forty computers are and when I contacted the Telecom
in case the police need to see it in a freely sharing a single ADSL line. So school administrator he told me that
few days or weeks time. we deploy a simple network monitor Eve had a long list of similar incidents.
What we know now is that the that will record all the incoming and The Computer Centre person in
hotmail account is still alive and that outgoing traffic over the ADSL line, charge of network security is informed
Eve is still controlling it. Two days later including the Ethernet MAC addresses. about my findings. The next day he
some of the personal information (such We use Ethereal software. calls me back, surprised, as he has
as the zip code) is removed from Eve’s A few days later, our trap is set and caught the same person up to no good
ICQ personal data. So it seems she is nothing has happened, but on Friday I at the University Library. Eve was
worried about any information that can get a call from MUST telling me they caught while using a stolen account
help us track her down. So now we have caught Trudy red-handed and, with administrator privileges. This time
know her real zip code. what’s more, she is not aware of it. Eve was caught red-handed by secu-
MUST sysadmin is analysing Trudy’s rity and was asked to produce a photo
10 Desperately Seeking Trudy computer and has discovered multiple ID so now he will have a hard time try-
Over the weekend our server has connections to Rootshell and to a cou- ing to get away with it.
been disconnected. The fake accounts ple of ONO’s IP addresses, one of them
that the intruders created were can- matching the one we mentioned ear- 13 Following The Trail
celled and all user passwords were lier. While I was still going through the
changed But we are still closely moni- our mail server logs I realized that one
toring the system, so before shutting 12 Unexpected Events teacher was connecting on March 22
the system down for the weekend we Knowing that the trail is fading fast from the same open systems lab that
realize that a new access attempt has and given that the university was not the intruders were sometimes connect-
been made from Rootshell’s server. It interested in filing a police report, I ing to Rootshell from. I contacted this
seems they are up to their old tricks decided to do so off my own bat, partly colleague right away as I needed him
once again. because I did not know what those peo- to confirm or deny whether it was re-
I contact Rootshell’s sysadmin ple had been doing with my system and ally him accessing from that location,
again to tell him the news, but this time I did not want to be prosecuted later and it turns out he had never been at
I ask him not to cancel the account but for a crime I did not do. that lab, so I have finally detected the
to monitor what they do. Of course they A special team of police travelled first step the intruders made to get into
are using another free account and this from Madrid to Valencia to gather the our server.
time the name is "userTrudy" and the evidence and on the same trip they also It turns out that Eve was one of my
email is mail_Trudy@terra.es. As received an unrelated report of another colleague’s students and at the time of
Trudy detects that she cannot login to break-in at a computer at MUST. the intrusion he was using the class com-
our server but the server is alive she One of the police team members puter which had Windows 98 installed
realizes that something has changed, suggests that I search for mail_ to access his office computer. Windows
so she starts deleting some files on her Eve@hotmail.com on Google again. 98 stores a user password encrypted in a
Rootshell account: files with names It seems they have done their home- .pwl file.
like k3ys.txt, users.txt and several us- work and yes, this time there is an There are several programs that can
ers .known_hosts files. It seems Trudy entry on Google for that email that easily decrypt these password files. My
is doing a clean-up job but this time belongs to programming work a stu- colleague was using the same password
we are watching carefully. dent turned in at my university. for his email account and ssh daemon

© CEPIS UPGRADE Vol. VII, No. 4, August 2006 69


UPENET

was enabled on the email server, so that our email server and to transfer all the man-hours are consumed in the proc-
is how they got in. accounts to the main university-wide ess of putting things right. Some lit-
Once they successfully escalated email server (that now allows SSL con- erature suggests that detected intru-
privileges on the server and installed nections too). sions may amount to around 4% of the
the sniffer software they could learn the total number of intrusions. (This is a
passwords of all the other professors. Some of the changes we have made tricky concept since in order to give a
They have an easy way to get the large I have already mention that our percentage you need to know the total
files containing capture data by using departmental email server has been number it is a percentage of, which in
a USB hard disk (or USB flash dongle) replaced by moving the accounts to a this case is impossible).
as the campus network is quite fast for larger and (hopefully) better main- If your organization has no secu-
moving files around in When the op- tained university-wide email server. It rity policy then it is quite likely that
eration was detected there was a is ironic that the server we are now your computer systems are not prop-
200MB capture file containing thou- doing away with was put in place be- erly protected and that any intruders
sands of private files. cause in the late nineties the univer- you may have will not be prosecuted
I should remind the reader at this sity server was not considered secure effectively.
point that this intrusion was possible at the time. It surprises me how a few
because users (including myself) were years later this same server was the A Legal Postscript
using the same password for several vehicle of an intrusion. One month after the police report
systems. I had to talk to a great many people was filed the university received a
during this research and it amazes me court order to hand over the hard drives
14 Regaining Trust that many of them are of the opinion of the compromised servers.
Most of my colleagues using that "I’m not worried because I have Several IPSs were required by the
Microsoft Windows were not able to no valuable information on my com- judge to provide the connection logs
check whether or not their computers puter" Apparently some users are not of several IP addresses belonging to
had been broken into as auditing func- worried about other people spying on their clients.
tions were not enabled. Other people them or using their computer as a ve- And both Microsoft Hotmail and
using GNU/Linux did not detect any hicle for conducting illicit actions such Terra Networks were asked to provide
connection attempts from the email as breaking into other computers or the details of the owners of the ac-
server. storing illegal contents. counts mail_Eve@hotmail.com and
I had evidence of some failed con- This incident has brought to light mail_Trudy@terra.es.
nection attempts to a second computer the weaknesses of our systems and our As a result, the identities of the in-
I had in my office that had a database total lack of any security policy. This truders were revealed and the judge
of student grades on it (and a different is a shortcoming that, two years on, we ordered the homes of these people to
password). What the purpose of the have yet to remedy. We all tend to use be searched by the police. The intrud-
break-in is still a mystery to me, but it insecure short cuts too often and ers were arrested and all their comput-
is interesting that intruders were so scarcely give a thought to the fact that ing equipment was confiscated. After
fond of my accounts on various com- we might be targeted. being questioned in court they were
puters. I have decided the time for using released with charges.
My second office computer web passwords has passed and I have A year and a half later there was a
server had been bombarded with a changed to public key authentication trial. Trudy hired a famous (and expen-
number of exploits for a time period for all my accounts. sive) lawyer. The two intruders were
matching the break-in. As this compu- found guilty of the break-in but the
ter was only accessible from within the 15 Conclusions judge let them off on a technicality.
campus network, attackers used more Campus networks seem to have However, the prosecutor appealed and
than thirty different computers they had several interesting features many in- they were later sentenced to a fine of
compromised before. A couple of these truders crave: 3,600 euros each.
computers were from my department � High-speed Internet access.
too. Attackers failed completely in this � Thousands of computers linked Translation by the author
attack, but they kept on trying for a together by a fast LAN.
couple of weeks. � Academic information, such as
People in my department were exams and students’ grades.
warned about the break-in from the All these features, together with the
beginning and they were all asked to scant interest that the average user
keep an eye on any bank account they tends to have in security issues affect-
may have electronic access to. Up un- ing his or her own personal computer,
til now it seems that no crime of this make these networks an easy target for
nature has been detected. intruders.
As a result of these events, our de- Whenever a break-in is detected the
partment board decided to close down worst is yet to come. A great many

70 UPGRADE Vol. VII, No. 4, August 2006 © CEPIS