Earthlink cracked!

kelley kwalker2 at gte.net
Mon Feb 19 22:28:50 PST 2001


interesting... more microsoft fun given the talks b/t m$ and earthlink? haven't kept up with the financial stuff, so i assume it's still in the works... thrills the heck outta me since i have a backup acct with earthlink...love having the credit card potentially exposed!

http://www.cotse.com/2152001.html

Earthlink is currently battling a recent compromise of their internal network. Many of their internal Unix boxes have been cracked and have had a backdoor installed, according to unnamed Earthlink admins. Earthlink is currently working this in stealth, with the entire affair being kept very quiet.

Administrators have been working frantically to determine the depth of the breach. Among tasks facing administrators is the combing of files using the strings command in an apparent attempt to determine exactly which machines have been back doored. They have currently restricted access to their billing database and a "jump" box named "chie". They have also locked down what they call their "yellow" and "green" networks.

Restricting access to their billing database means that they have it temporarily locked down. We have heard that finance employees and billing are currently unable to access this database unless it is urgent. Urgent requests are temporarily required to be sent off instead of direct access. It is unknown at this time if the billing databases were compromised.

The compromise was apparently due to a recent SSH vulnerability that caught them off guard. It appears that they did not react fast enough in patching their servers and the result was a wide spread compromise. Granted, rapidly patching many servers is a task and a half and will not happen fast, but close monitoring of the affected service can drastically limit damage. We hope that Earthlink managed to detect it fast enough.

This should underscore the need for corporations with a net presence to follow the security lists closely and address root exploits immediately. Unfortunately most corporations still place network security as low priority. Frequently they completely ignore it or take weeks to respond to announced vulnerabilities. The recent Microsoft, Intel, and now Earthlink compromises have shown that even waiting a few days is to long.

Companies with a strong net presence should be employing a security administrator who's sole job is to keep up with the vulnerabilities and coordinate patching in a timely manner. Root vulnerabilities cannot wait to wade through the mountains of internal red tape before being addressed.

/steve 2-15-2001

*==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================*

ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV at SecurityFocus.com with a message body of "SIGNOFF ISN".



More information about the lbo-talk mailing list