Security News > 2001 > February > Earthlink cracked!

Earthlink cracked!
2001-02-19 08:06

http://www.cotse.com/2152001.html Earthlink is currently battling a recent compromise of their internal network. Many of their internal Unix boxes have been cracked and have had a backdoor installed, according to unnamed Earthlink admins. Earthlink is currently working this in stealth, with the entire affair being kept very quiet. Administrators have been working frantically to determine the depth of the breach. Among tasks facing administrators is the combing of files using the strings command in an apparent attempt to determine exactly which machines have been back doored. They have currently restricted access to their billing database and a "jump" box named "chie". They have also locked down what they call their "yellow" and "green" networks. Restricting access to their billing database means that they have it temporarily locked down. We have heard that finance employees and billing are currently unable to access this database unless it is urgent. Urgent requests are temporarily required to be sent off instead of direct access. It is unknown at this time if the billing databases were compromised. The compromise was apparently due to a recent SSH vulnerability that caught them off guard. It appears that they did not react fast enough in patching their servers and the result was a wide spread compromise. Granted, rapidly patching many servers is a task and a half and will not happen fast, but close monitoring of the affected service can drastically limit damage. We hope that Earthlink managed to detect it fast enough. This should underscore the need for corporations with a net presence to follow the security lists closely and address root exploits immediately. Unfortunately most corporations still place network security as low priority. Frequently they completely ignore it or take weeks to respond to announced vulnerabilities. The recent Microsoft, Intel, and now Earthlink compromises have shown that even waiting a few days is to long. Companies with a strong net presence should be employing a security administrator who's sole job is to keep up with the vulnerabilities and coordinate patching in a timely manner. Root vulnerabilities cannot wait to wade through the mountains of internal red tape before being addressed. /steve 2-15-2001 *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".


News URL

http://www.cotse.com/2152001.html