19990107: Restoring Findeisen at UNI

>From: address@hidden
>Organization: University of Northern Iowa
>Keywords: 199901071849.LAA27037 Linux hack

Alan-

>       This is what Melanie and Drew have concluded about
>the bizzare incident with Findeisen shutting down our campus
>computer system.  Would you be able to assist them in restoring
>Findeisen without destroying all the software you installed?
>Please keep me posted and thanks for your help.

The short answer is yes. However, it might be prudent to wipe the disk
clean and resinstall the software. Who knows what is lurking around in
the mcidas/gempak directories. It is also probably easier for me to
just re-install rather than figure out what needs to be backed up. All
the data is old by now, so it's not like you are going to lose anything
valuable there. I can do the install/setup remotely if you can give me
root access (or you could try it on your own if you want to be brave!
;-)).

If you want to go this route, then have Drew reformat the disk and
remove Windows from it since if this is going to be your LDM system
there is no need for dual booting. That will give you another 2GB of
disk to use for LDM/GEMPAK/McIDAS. You have a 6 GB disk. If you set
aside 4 GB for the ldm data, you would have 2 GB for the Linux install
and the software. If he is going to make /home a separate partition, it
needs to be at least 500 Mb to hold the McIDAS and GEMPAK distributions.
Alternatively, he can leave /home as part of the main root / partition
and use a disk quota to set the limit on the size. That way, if it ends
up being too small, the quota can be enlarged and he would not have to
repartition the disk.

I'm curious as to what led them to believe it was hacked (what were
the symptoms they found). Cornell had a linux system that was hacked
recently also. I wonder if it is the same person.

Let me know what route they want to take and if they can provide more
details on the symptoms of the breakin (like how they got in), that
would be great.

I'll wait to hear from you.  I'm not going to AMS so I'll be around
next week.

Don
>--------------------------------------------------------------
>
>From:  IN%"address@hidden"  "Melanie Abbas (CNS staff)"  7-JAN-1999 11:59:3
> 6.84
>To:    IN%"address@hidden"  "Alan Czarnetzki (Earth Science) "
>CC:    
>Subj:  findeisen (fwd)
>
>Your computer had been hacked into.  This is an analysis from one of my
>students.  We need to contact your software person from Colorado to get it
>back up and running.
>
>
>Melanie Abbas
>CNS Systems Administrator
>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @
>Be content with such things as you have. For God himself has said, I shall
>never leave you nor forsake you.       -Hebrews 13:5
>
>Office: WRT 337                Regular hours: 8:00-5:00 
>Phone: 273-7029                Fax: 273-7123           Beeper: 235-4135
>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @
>
>---------- Forwarded message ----------
>Date: Thu, 7 Jan 1999 11:38:22 -0600 (CST)
>From: "Andrew Jones (CS/MATH stud.) " <address@hidden>
>To: "Melanie Abbas (CNS staff)" <address@hidden>
>Subject: findeisen
>
>
>ok, i think these should be the next steps
>
>turn this ip, 204.30.67.180, over to ITS and let them try to figure out
>who it is if they want to.  I didn't see any logins from that subnet on
>chaos or nova so it may or may not be one of our users. Netcom is huge I
>doubt they'll figure it out anyway.
>
>i need to reinstall linux on findeisen. there was a lot of stuff trojaned.
>login, syslog, w, who, finger, etc. I can't trust it.
>
>also i want to make a seperate partition for /home because some user
>filled up / by filling up his home directory and that caused problems.
>
>so i need to get in touch with the dude from colorado and figure out how
>to keep all his work from being destroyed.  what files to backup and how
>to restore them type thing.
>
>later,
>drew
>
>
>
>