Hacked MIT Server Used To Stage Attacks

wiredmikey writes "A compromised server at the Massachusetts Institute of Technology (MIT) has been identified as being used as a vulnerability scanner and attack tool, probing the Web for unprotected domains and injecting code. According to researchers, the ongoing attacks appear to be related to the Blackhole Exploit Pack, a popular crime kit used by criminals online. The attacks started in June, and an estimated 100,000 domains could have been compromised. Judging by initial data, one MIT server (CSH-2.MIT.EDU) hosts a malicious script actively used by cyber-crooks to scan the web for vulnerable websites. These types of attacks are how BlackHat SEO scams are propagated, which target search results in order to spread rogue anti-virus or other malware. In addition, compromised hosts are also leveraged for other schemes, such as spam or botnet control."

Remarkable

[Anonymous Coward]

They use windows as servers at MIT. Not all they (MIT) are cracked up to be apparently.

Luckily it wasn't the important server there

[hessian]

http://fuck-the-skull-of-jesus.mit.edu/ [mit.edu]

Re:

[tywjohn]

Don't click the Princess Di link if you are at work... I just found out the hard way

Not work acceptable, duh.

[Anonymous Coward]

For Christ's sake man, you are visiting a site with "Fuck The Skull Of Jesus" in the domain name, but you're worried about a blow job picture? You are what's wrong with America.

Re:

[tywjohn]

You are what's wrong with America.

That's funny because I've never been there before

Re:

[Anonymous Coward]

Oh Lord, they're everywhere.

Re:

[adolf]

I've been reading alt.fuck.the.skull.of.jesus.binaries.pictures.erotica ever since it got newgrouped, and never realized there was an associated website.

Thanks!

Let me guess, it wasn't running OpenBSD.

[Anonymous Coward]

These kind of exploits just don't happen when you're running OpenBSD. OpenBSD is THE ONLY safe option for any publically-accessible server.

Re:Let me guess, it wasn't running OpenBSD.

[Xugumad]

If you think OS choice is the biggest issue with academic network security, you clearly haven't met enough academics...

Re:

[Drollia]

If only I had mod points. I don't think that a better comment could be made about the state of Academic Security, or just IT systems period.

Re:

[Nursie]

You don't have to go that exotic to find clueless pwners...

My home NAS box that I hacked debian on to had really weak passwords at first, and got pwned. The attacker made a ram disk and dumped a shoutcast server binary on to the machine. An x86 binary, on an ARM machine. It appears that they got stumped and gave up at that point.

Re:

[the linux geek]

Or HP-UX, or AIX, or GCOS 7, or z/OS, or OS 2200, or NSK...

Or a properly configured Windows or Linux. Proper administration matters far more than OS choice.

The last time I was attacked by MIT...

[billstewart]

I used to keep a couple of honeypot open servers on the DSL line in my lab in the late 90s. Nobody ever bothered the Win95 box, but the unpatched Red Hat 6.x box was broken into and brutally killed enough weeks in a row I ended up naming it "Kenny". It got attacked by some machine in Sweden and was pinging home to check in and receive further commands, so I and the admin there cleaned up our machines. I forget if the attack on the wu-ftpd daemon came from Washington University or was used to attack them. The bad guy thought they had covered their tracks by replacing the ps and ls commands, but I noticed their extra directories with "find", and their processes with "echo /proc/*" :-)

So one week the attack was coming from MIT. I tried going through mit.edu's website to find a sysadmin to talk to, didn't get a response, so I sent email to a security researcher I knew there, who already knew about the problem. It turns out that the attack wasn't actually from MIT - it was from somebody in Japan who was using a compromised Sun server, and there was a byte order problem in the attack code. So the attacker wanted my machine to be pinging him at x.y.z.18, but instead my responses were going to 18.z.y.x at MIT.

Re:

[PartyBoy!911]

> the unpatched Red Hat 6.x box was broken into and brutally killed enough weeks in a row I ended up naming it "Kenny"
That's what you get for running unreleased versions, Red Hat 6.x wasn't released until the very late 10's..... november 2010 if I remember correctly

Re:

[RadioTV]

NO. RHEL 6 wasn't released in the 90's, but Red Hat 6 was. Red Hat has changed names and re-started their version numbers.

Re:

[billstewart]

RadioTV is correct - this was under the earlier numbering system.

Not very smart

[Anonymous Coward]

That's not very smart.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[sjames]

They gotta pay those student loans somehow. This is just the magical free market solving the problem.

Re:

[hedwards]

And unfortunately with student loans those don't have a statute of limitations and typically can't be discharged by bankruptcy.

So, if you get a bum education, and can't get a job that pays well enough to pay the loan, you're screwed with garnishments for possibly the rest of your work life.

Re:

[orphiuchus]

Just make sure to use systems so old and useless that nobody could ever want to compromise them.

_
Sent from my Nokia N-Gage

Re:

[metalgamer84]

Windows Me it is then.

Re:

[djdanlib]

Well, the point was to have something that YOU could use, too.

Re:

[Ethanol-fueled]

My alumnus was a MIT physics grad. He expanded what should have been a simple problem to 14 steps across both boards when the whole class deduced the answer at the second step and was already yawning and walking out when he finally hit the punchline.

MIT FTW.

Re:We're doomed

[hedwards]

I'm pretty sure you don't have an alumnus, slavery is illegal.

Re:

[DarkTempes]

Just because something is illegal doesn't mean it can't happen.

Re:

[Smallpond]

I've reported hacked machines on networks at CMU and NASA. Scientists and engineers know enough to set up servers but not enough about security.

"Hacked"

[Baloroth]

Are we quite sure this server was hacked? I wouldn't put it past some college student, or possibly even a network admin, to do this personally. While that may technically still be "hacking", it wouldn't qualify for it in the popular-media definition (which is the way TFA seems to be using it... or maybe not, maybe the writer is using the term deliberately.) The proper term is "cracked."

Re:

[Anonymous Coward]

The work 'hack' / 'hacker' is gone... Don't bother trying to get it back...

See the movie "Clerks 2" and look at Randal's use of 'porch monkey' for why it will fail.

Re:

[ralphdaugherty]

There were two hacked servers at MIT, I noted their IP addresses when they tried to spam my little website weeks apart.

Re:

[TubeSteak]

Are we quite sure this server was hacked?

Universities have an enormous attack surface.
It didn't even take me 30 seconds to find two MIT websites that have been exploited

Both of these redirect to online pharmacies
open at your own risk
advocacy.mit.edu/coulter/?qq=3502
education.mit.edu/ar/ar/ar.php?q=541

You can find more if you like, just change "viagra" to whatever spammy keyword you can think of
https://encrypted.google.com/search?q=site:mit.edu viagra [google.com]

Re:

[CAIMLAS]

Spam and exploits from .edu is incredibly common. Pretty much everyone who had "internet" access prior to around 1994 has a very, very large network (for their size). Most corporations have probably sold back their addresses by now, but it's not unheard of for small schools to have /22 or /20 networks, because "that's all they'd ever need". Public access to the Internet was still unheard of.

The result is that, even today, many (most? all the ones I have seen) campus dorms give their students public IP addre

Re:

[allo]

because being hacked has nothing to do with research.

Re:

[fotoguzzi]

Spoken like a true Engrish major.

Big Ado About Nothing

[DTemp]

I've seen this story posed over and over. Some computer sitting in Building 1 on campus, used by Course 1, was compromised. BFD. MIT's Information Services and Technology deal with computers like this every day, as does anyone who manages a network with tens of thousands of computers. There are dozens of machines a day that get compromised. This is not a server sitting in the racks; this is a computer sitting in a closet or under a desk in an academic building. There are multiple addresses people can use to report maliciousness on the network (abuse@mit.edu, stopit@mit.edu, security@mit.edu), and they take care of the compromised computers in an order that actually matters.

I guarantee you there are dozens of other computers on the MIT network right now that are also serving malware or acting as a point of entry for hackers, and they'll get dealt with as they get noticed.

THANK YOU

[S77IM]

...for calling them "criminals" and not "cyber-criminals."

They have an open network policy

[MITpianoman]

Having gone there for my undergrad, this isn't that surprising. Students' computers get fixed IP addresses on the network (and it's very straightforward to get a hostname registered). Due to the fixed IP addresses, hackers scan the network range fairly regularly looking for boxes to pop. Back in 2002 I set up a Win2k box on the network. Within 24 hours of it being online (and stupidly, unpatched), it was infected with code red.

So who is the owner of the system?

[damn_registrars]

Who does csh-2.mit.edu belong to at MIT? For a school that large there is a very good chance that it belongs to someone who is not necessarily well versed in network security. It is entirely possible that the system was compromised because of an exploit that an admin would consider "obvious" for whatever OS was running on it.

Re:

[belg4mit]

That list would appear to be out of date. I queried the MOIRA database directly,
and the record for this host (updated 2011-09-22) suggests it belongs to a student
in civil engineering.

Re:

[CAIMLAS]

Having had to deal with various admins in academic institutions over the past year or so, as well as experience doing IT in academic institutions, my experience is this:

* Nobody owns the systems. They're there. There are people there. Being an educational institution with peoples' primary purpose in being there to either teach or learn, efforts are focused elsewhere.
* There are very few actual IT staff. Mostly, they're there to keep the systems directly responsible for education working, as well as lab comp

Re:

[SuricouRaven]

Found one of those myself once, inside a wall. Turned out to be the very first server the then-school ever had. At the time there was no server room, and the computer lab was one room - so the only way to keep the server from being messed with by students was to open the (conveniently hollow) wall, put the server inside, and seal the wall up again. I only found it by following network and power cables that disappeared through a hole on one side and didn't come out the other.

Re:

[tlhIngan]

Who does csh-2.mit.edu belong to at MIT?

RMS, of course! Remember he advocates people to not use passwords and saw the mandatory passwords as draconian to freedom. (He campaigned for people to just hit enter when asked to set a password).

Of course, I jest, and I'm not sure if RMS even believes in that anymore. Though, then again, there may be a few people leaving blank accounts just in case RMS ever needed them...

Funny......

[hesaigo999ca]

I think that what is the funniest part in this is that MIT is supposed to be a leader in cyber security and all that is high tech. The fact they were p0wned, to me shows that times are getting really hard to maintain that title. I guess they are not so hot any longer....eh?

MIT has its own Class A subnet

[Muerte23]

It's hard not to have a few hacked servers when you comprise 1/255 (approx) of IPv4 space with everything sitting on an enormous pipe. Plus there's such a high flux of students coming, setting up servers (sometimes in closets), and leaving that there is a nightmare of unpatched everything there. Plus school is a place where you are supposed to learn, and a lot of learning comes from making mistakes.