Chronology (3)
After watching and logging, we decided to chop the hacker’s route of entry to the machine
The hacker immediately moved operations to an Astronomy machine, which we deduce they had recently hacked in the same way
From there we saw them finger the first machine, spot us logged on from a PP machine, and immediately started attacking that, albeit without success.
Then we had had enough, and pulled the plug.
Notes:
While AJF was considering the tcpdump output, DJM was investigating and preparing TCP wrappers.
After we felt that we had logged enough, DJM set the TCP wrappers to block access from [******].
We saw the hacker immediately transfer their attention to an Astronomy machine, that we later confirmed had been previously hacked in the same way.
From this vantage point they “finger”ed the first machine (which the TCP wrappers did not prevent, as they were coming from an “inside” address), and spotted us logged in from a Particle Physics machine. Whereupon they started hacking that machine. Although they didn’t get into it, we felt we had had enough, so at that point we disconnected the whole department from the external network, except that I left my PC connected to outside, from which I logged on to CERN and composed a report to JANET CERT.
I would add that although we subsequently learned that our attempt to alert the computing service had successfully reached the Director by Saturday night, we had been dealing with this incident entirely on our own and without any apparent response from the University, which was rather dispiriting.
On Sunday, the sysmgr of the Astronomy machine came in and I reviewed the situation with him.