>>> GOC Ticket update for MIT.edu (lnbat0006.cmsaf.mit.edu) & CERN.ch (lxplus002 .cern.ch) >>> >>> >>>From: kocolosk@mit.

edu >>>To: "Grid Operations" <goc@opensciencegrid.org> >>>Subject: Fwd: Re: Fwd: fig.chaw.com incident update from CERN >>>Date-Sent: Friday, July 29, 2006 11:46 AM >>> >>> Thanks Vikram! Host lnbat0006.cmsaf.mit.edu is up and running! >>> >>> >> Message forwarded to kocolosk@mit.edu > >From: Vikram Reddy Andem <vandem@fnal.gov> >To: Grid Operations <goc@opensciencegrid.org> >cc: leighg@indiana.edu; rdc@slac.stanford.edu; Ian.Neilson@cern.ch; petravick@f nal.gov; ruth@fnal.gov >Subject: Re: Fwd: fig.chaw.com incident update from CERN >Date-Sent: Friday, July 20, 2006 09:16 AM -0400 > >All, > >I found the root cause and fixed it! Will close the ticket soon. > >Thanks >Vikram Andem >vandem@fnal.gov > > > > >Next Action Deadline 2006-07-18 > >2006-07-14 1:06 PM Ticket created by : "Vikram Reddy Andem" <vandem@fnal.gov> > Subject Matter Expert assigned to : "Vikram Reddy Andem" <vandem@fnal.gov> > > >"Robert D.Cowles" <rdc@slac.stanford.edu>, >"Vikram Reddy Andem" <vandem@fnal.gov>, >"Ian Neilson" <Ian.Neilson@cern.ch>, >"Don Petravick" <petravick@fnal.gov> > >From: leighg@indiana.edu >To: Grid Operations <goc@opensciencegrid.org> >cc: tsilver@indiana.edu >Subject: Re: Fwd: fig.chaw.com incident update from CERN >Date-Sent: Friday, July 14, 2006 10:36 AM -0400 > >yes please make a ticket.. >leigh >On Fri, Jul 14, 2006 at 09:13:49AM -0400, Grid Operations wrote: >Leigh, > >Do you want a ticket on this? Just let me know. > >Tim > >Begin forwarded message: >

>>From: Ruth Pordes <ruth@fnal.gov> >>Date: July 14, 2006 8:47:17 AM EDT >>To: Grid Operations Center <goc@opensciencegrid.org>, "Robert D. >>Cowles" <rdc@slac.stanford.edu>, Vikram Reddy Andem <vandem@fnal.gov>, >>Ian Neilson <Ian.Neilson@cern.ch> >>Cc: Don Petravick <petravick@fnal.gov> >>Subject: Fwd: fig.chaw.com incident update from CERN >> >>Hi >> >>can Vikram, Leigh and Bob sort this out please >> >>Ian - because we wanted the opportunity to filter I think -->> >>thanks >> >>Ruth >> >>Begin forwarded message: >> >>>From: Ian Neilson <Ian.Neilson@cern.ch> >>>Date: July 14, 2006 5:11:14 AM CDT >>>To: Ruth Pordes <ruth@fnal.gov>, rdc@slac.stanford.edu >>>Cc: "project-lcg-security-officer (Generic contact address for LCG >>>Security Officer)" <project-lcg-security-officer@cern.ch> >>>Subject: RE: fig.chaw.com incident update from CERN >>> >>> >>>Ruth, Bob, >>> >>>I didn't have (but do now) an exception handling hook in my >>>scripts and >>>have been trying hard to avoid having to manage one (but failed). >>>This >>>was the beauty of the OSG 'super-site' in the GOCDB that was >>>agreed and >>>then dismantled from my point of view. Actually it was only when I >>>chance noticed that Bob was deleted from the lists and informed >>>him that >>>I got to realise that the super-site was deleted. >>> >>>So User rdc@slac.stanford.edu added as new list member for CSIRT and >>>CONTACTS I'd appreciate if you could register >>>project-lcg-security-officer@cern.ch in the equivalent OSG lists >>>pending >>>generation of equivalent lists as discussed recently. >>> >>>Now I think again I'm not sure exactly why we decided not to just >>>cross-register the CSIRT and CONTACTS lists from the other grid? >>> >>>Cheers, >>>Ian >>> >>>| Ian Neilson >>>| Grid Deployment Group, CERN >>>| Tel: +41(0)2276 74929 [Fax: 69294] >>> >>>>-----Original Message---->>>>From: Ruth Pordes [mailto:ruth@fnal.gov]

>>>>Sent: 13 July 2006 17:53 >>>>To: Ian Neilson; rdc@slac.stanford.edu >>>>Subject: Re: fig.chaw.com incident update from CERN >>>> >>>>Ian >>>> >>>>it appears Bob Cowles got dropped from the >>>> >>>>project-lcg-security-csirts@cern.ch mail list >>>> >>>>at least as part of the OSG Security team please could he be readded >>>> >>>>thanks! >>>> >>>>Ruth >>>> >>>>On Jul 13, 2006, at 10:35 AM, Ian Neilson wrote: >>>> >>>>> >>>>>FYI >>>>> >>>>>| Ian Neilson >>>>>| Grid Deployment Group, CERN >>>>>| Tel: +41(0)2276 74929 [Fax: 69294] >>>>> >>>>>-----Original Message---->>>>>From: Lionel Cons [mailto:lionel.cons@cern.ch] >>>>>Sent: 13 July 2006 17:12 >>>>>To: hepix-security@fnal.gov >>>>>Cc: Computer Security >>>>>Subject: Heads Up: Security Incidents At Several HEP/GRID Sites >>>>> >>>>>Dear HEPiX security contacts, >>>>> >>>>>A number of HEP/GRID sites, including CERN, have detected >>>>compromised >>>>>accounts. >>>>>Here are the things which are common to most of these >>>>incidents and >>>>>seem to >>>>>indicate that they are closely related: >>>>> >>>>>(*) connections from fig.chaw.com (88.208.195.26) >>>>> >>>>>This machine has very likely been compromised at root level and any >>>>>connection >>>>>coming from it should be treated as suspicious. Note that this >>>>>machine also >>>>>has a second network interface bound to mango.chaw.com >>>>>(88.208.195.25). >>>>> >>>>>(*) presence of the file /var/run/entropy >>>>> >>>>>This file has been detected on several machines and, for some >>>>>compromised >>>>>accounts, it also appeared in the user's vim history file >>>>>(~/.viminfo), >>>>>indicating that the user at least looked at the file. >>>>>

>>>>>Here is some CERN-specific information: >>>>> >>>>>The following three LXPLUS nodes may have been compromised and are >>>>>being >>>>>investigated: lxplus002.cern.ch (137.138.5.80), lxplus054.cern.ch >>>>>(137.138.4.170) and lxplus068.cern.ch (137.138.4.179). >>>>> >>>>>The following two accounts have been compromised: ldwyer (Lisa >>>>>DWYER) and >>>>>naustin (Nicholas Charles AUSTIN). >>>>> >>>>>We recommend that you carefully check at your site connections from >>>>>these suspicious hosts or to these user accounts, if you have them. >>>>> >>>>>It seems that this activity has been going on for several weeks. >>>>>The first >>>>>incident recorded is from June 21st. >>>>> >>>>>Regards, >>>>>__________________________________________________________ >>>>>Lionel Cons http://cern.ch/lionel.cons >>>>>CERN Security Team http://cern.ch/security >>>>>CERN http://cern.ch >>>> >>>> >> >7 years ago by leighg update email lists for security and sent email to ian.. IanI have registered the project-lcg-security-officer@cern.ch in the indicent-response-l@opensciencegrid.org which I hope is the equivalent list. Also could you register the incident-discuss-l@opensciencegrid.org in your list for CSIRT and CONTACTS. This will allow OSG Security Group members to receive updates. ThanksleighSimilar Recent Tickets modified within the last 30 daysNo similar tickets f ound.