Wed May 30 15:31:08 PDT 2001 — We’ve had a security incident affecting bolt.sonic.net, our unix shell server. No other servers or services appear to be affected. We’re aware of 126 remote user account logins and passwords were captured during the break-in, but all recent unix shell users should review any remote hosts they use for signs of abuse.
The shell server is our most vulnerable server due to the nature of interactive shell services. With this in mind, it’s been designed to limit the scope of potential damage due to an intrusion. It has no passwords on board; authentication is done remotely via RADIUS. The shell server also has no customer records of any sort. The shell server is a non-trusted component of the network, and lives on it’s own private network segment to prevent network sniffing. Additionally, NFS filesystems are mounted ‘squashed’, so that there are zero privileges on those filesystems housing end-user files.
The user names and passwords which were captured were from a trojaned version of the ‘ssh’ client binary. If you’ve used ssh from bolt toward a remote system in the past few weeks, your username and password on the remote system you connected to may be compromised. Notification emails are being sent to the affected remote accounts, plus the security address at the remote site. Telephone notification has already been made to any remote sites for which a ‘root’ or ‘admin’ password was captured.
Connecting to remote systems via a public shell server is a “Bad Idea” from a security perspective. Please use caution and common sense – if you need to establish a remote session, it should be done directly from your workstation to the remote host.
We’re sorry about any inconvenience this has caused the affected unix shell users. We’re committed to continuing to provide shell services, and we will work to assure that bolt.sonic.net remains secure on an ongoing basis. Please post to news:sonic.os.unix if you have any additional questions.
-Dane, Scott, Eli, Nathan, Kelsey, Steve and Russ