Slide 6 of 21
Notes:
While AJF was considering the tcpdump output, DJM was investigating and preparing TCP wrappers.
After we felt that we had logged enough, DJM set the TCP wrappers to block access from [******].
We saw the hacker immediately transfer their attention to an Astronomy machine, that we later confirmed had been previously hacked in the same way.
From this vantage point they fingered the first machine (which the TCP wrappers did not prevent, as they were coming from an inside address), and spotted us logged in from a Particle Physics machine. Whereupon they started hacking that machine. Although they didnt get into it, we felt we had had enough, so at that point we disconnected the whole department from the external network, except that I left my PC connected to outside, from which I logged on to CERN and composed a report to JANET CERT.
I would add that although we subsequently learned that our attempt to alert the computing service had successfully reached the Director by Saturday night, we had been dealing with this incident entirely on our own and without any apparent response from the University, which was rather dispiriting.
On Sunday, the sysmgr of the Astronomy machine came in and I reviewed the situation with him.