Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacked MIT Server Used To Stage Attacks

Posted by timothy on from the always-hurt-the-ones-you-love dept.

wiredmikey writes "A compromised server at the Massachusetts Institute of Technology (MIT) has been identified as being used as a vulnerability scanner and attack tool, probing the Web for unprotected domains and injecting code. According to researchers, the ongoing attacks appear to be related to the Blackhole Exploit Pack, a popular crime kit used by criminals online. The attacks started in June, and an estimated 100,000 domains could have been compromised. Judging by initial data, one MIT server (CSH-2.MIT.EDU) hosts a malicious script actively used by cyber-crooks to scan the web for vulnerable websites. These types of attacks are how BlackHat SEO scams are propagated, which target search results in order to spread rogue anti-virus or other malware. In addition, compromised hosts are also leveraged for other schemes, such as spam or botnet control."

13 of 75 comments (clear)

  1. Luckily it wasn't the important server there by hessian · · Score: 4, Interesting

    http://fuck-the-skull-of-jesus.mit.edu/

    --
    Futurist Traditionalism
  2. Re:Let me guess, it wasn't running OpenBSD. by Xugumad · · Score: 5, Funny

    If you think OS choice is the biggest issue with academic network security, you clearly haven't met enough academics...

  3. "Hacked" by Baloroth · · Score: 3, Funny

    Are we quite sure this server was hacked? I wouldn't put it past some college student, or possibly even a network admin, to do this personally. While that may technically still be "hacking", it wouldn't qualify for it in the popular-media definition (which is the way TFA seems to be using it... or maybe not, maybe the writer is using the term deliberately.) The proper term is "cracked."

    --
    "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  4. Re:Let me guess, it wasn't running OpenBSD. by the+linux+geek · · Score: 2

    Or HP-UX, or AIX, or GCOS 7, or z/OS, or OS 2200, or NSK...

    Or a properly configured Windows or Linux. Proper administration matters far more than OS choice.

  5. Re:We're doomed by hedwards · · Score: 3, Insightful

    I'm pretty sure you don't have an alumnus, slavery is illegal.

  6. The last time I was attacked by MIT... by billstewart · · Score: 5, Funny

    I used to keep a couple of honeypot open servers on the DSL line in my lab in the late 90s. Nobody ever bothered the Win95 box, but the unpatched Red Hat 6.x box was broken into and brutally killed enough weeks in a row I ended up naming it "Kenny". It got attacked by some machine in Sweden and was pinging home to check in and receive further commands, so I and the admin there cleaned up our machines. I forget if the attack on the wu-ftpd daemon came from Washington University or was used to attack them. The bad guy thought they had covered their tracks by replacing the ps and ls commands, but I noticed their extra directories with "find", and their processes with "echo /proc/*" :-)

    So one week the attack was coming from MIT. I tried going through mit.edu's website to find a sysadmin to talk to, didn't get a response, so I sent email to a security researcher I knew there, who already knew about the problem. It turns out that the attack wasn't actually from MIT - it was from somebody in Japan who was using a compromised Sun server, and there was a byte order problem in the attack code. So the attacker wanted my machine to be pinging him at x.y.z.18, but instead my responses were going to 18.z.y.x at MIT.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
    1. Re:The last time I was attacked by MIT... by RadioTV · · Score: 2

      NO. RHEL 6 wasn't released in the 90's, but Red Hat 6 was. Red Hat has changed names and re-started their version numbers.

      --
      I have great faith in fools - self confidence my friends call it. - Edgar Allan Poe
  7. Big Ado About Nothing by DTemp · · Score: 2

    I've seen this story posed over and over. Some computer sitting in Building 1 on campus, used by Course 1, was compromised. BFD. MIT's Information Services and Technology deal with computers like this every day, as does anyone who manages a network with tens of thousands of computers. There are dozens of machines a day that get compromised. This is not a server sitting in the racks; this is a computer sitting in a closet or under a desk in an academic building. There are multiple addresses people can use to report maliciousness on the network (abuse@mit.edu, stopit@mit.edu, security@mit.edu), and they take care of the compromised computers in an order that actually matters.

    I guarantee you there are dozens of other computers on the MIT network right now that are also serving malware or acting as a point of entry for hackers, and they'll get dealt with as they get noticed.

  8. THANK YOU by S77IM · · Score: 2

    ...for calling them "criminals" and not "cyber-criminals."

    --
    Student: Is it true that the foundation of the universe is paradox?
    Master: Well, yes and no.
  9. Re:This is what you get when you hirer IT based on by fotoguzzi · · Score: 2

    Spoken like a true Engrish major.

    --
    Their they're doing there hair.
  10. They have an open network policy by MITpianoman · · Score: 2

    Having gone there for my undergrad, this isn't that surprising. Students' computers get fixed IP addresses on the network (and it's very straightforward to get a hostname registered). Due to the fixed IP addresses, hackers scan the network range fairly regularly looking for boxes to pop. Back in 2002 I set up a Win2k box on the network. Within 24 hours of it being online (and stupidly, unpatched), it was infected with code red.

  11. So who is the owner of the system? by damn_registrars · · Score: 2

    Who does csh-2.mit.edu belong to at MIT? For a school that large there is a very good chance that it belongs to someone who is not necessarily well versed in network security. It is entirely possible that the system was compromised because of an exploit that an admin would consider "obvious" for whatever OS was running on it.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:So who is the owner of the system? by CAIMLAS · · Score: 2

      Having had to deal with various admins in academic institutions over the past year or so, as well as experience doing IT in academic institutions, my experience is this:

      * Nobody owns the systems. They're there. There are people there. Being an educational institution with peoples' primary purpose in being there to either teach or learn, efforts are focused elsewhere.
      * There are very few actual IT staff. Mostly, they're there to keep the systems directly responsible for education working, as well as lab computers.
      * The IT people there are overworked, particularly in the math and science departments. You'll have requests like "oh, I need an 8-year-old version of Mathematica" from a prominent math professor, or a CS professor who insists on having his VMS machines available for himself and his students.
      * The math/science/engineering departments often assume the role of IT for other departments. Sometimes, other departments don't have IT at all.
      * Most actual IT work, even outside support/maintenance/troubleshooting, is done by inexperienced students on work study (because the government pays for it, it's cheap).
      * Even many prominent schools only have one, maybe two "professionals" manning their IT staff, with the rest being students. When he goes on vacation, everything significant stops happening. Sometimes it's just a long-standing professor who enjoys the work; sometimes it's a group of skilled/experienced students.
      * Because it's academia, most decisions on maintenance and acquisitions fall on people who have no knowledge or understanding of IT. If facebook works and they're getting mail from whomever, they don't know (or care - they're only at the school until they can get their position at a much larger research institution in their field) that they've got an exploited mail server or the equipment is 8 years old.
      * This is true even for larger, well-known institutions.
      * Many of the systems in place on a campus were put in years and years ago by a singular prodigy who knew the systems well. You know, someone who knows djbdns, qmail, and cyrus backwards and forwards, and by god - why would anyone need (or want) anything else? "It's easy." Or sometimes, it's a programmer who has foolishly made it so nothign can be touched without breaking a dozen other things on the network, so nobody even tries. Meanwhile, the likelihood that someone is going to exploit the machine increases as time goes on....
      * It is not unheard of for equipment to go missing. For instance, behind drywall, only to be discovered years later. This kind of thing still happens. I remember when this story came out with fond recollection. Since that time, however, I've personally witnessed several similar WTFs: a display-driving workstation inside a wall, an important server running on wireless, "mission critical" machines running on single dedicated disks, "secure" distributed networking using wall-wort ARM systems throughout the building complex. If you can't find it, you can't update it.

      --
      ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers