Slide 2 of 21
Notes:
As seen from our side, the story began on the 31 March. I was away, but an email informed me that DJM was dealing with a situation in which the Physics Dept main Welcome page had been overwritten with a replacement page. Soon afterwards a circular email arrived, notifying us of reports that discontented students were overwriting web pages, making use of the statd vulnerability described in CERT advisory CA97-26. We applied the fix at the first opportunity.
Late afternoon Friday 3rd, I was telephoned from Chicago by a man who introduced himself and explained that as a result of their having been hacked sometime earlier, via the statd problem, they had alerted the FBI, and instrumented their system to detect further attack; later, they had spotted an attack from our Physics system. I sent him an email (from the PP system), copied to JANET CERT and our campus folks, confirming the report. It was worrying that the reported incident had occurred subsequent to us applying the statd fix. The reason became evident later.
I attempted to close down network services on the affected machine, which is the Depts mail server, but got immediate complaints from users about their mail. It was decided to prevent logins, and allow other network services to run. With hindsight this may well have been a poor choice, but in the event we were fortunate, as the hacker was not destructive.