chain of causality

I’ve learned some more about the events that led to the “impromptu system reinstall”:http://off.net/~shaver/diary/archives/001820.html, and they’re not entirely amusing, or entirely surprising. Let me lay out a scenario for you.

Let us define E and N as two computer systems, not equal to bitchcake ([B]).

E was compromised, and a “trojan ssh”:http://www.emsi.it.pl/ssh/ was installed on their system. Via one or more users shared between E and N, N was eventually compromised. (I suspect, though have no evidence to support, that one of the recent flurry of “privilege”:http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt “escalation”:http://isec.pl/vulnerabilities/isec-0013-mremap.txt bugs in the Linux kernel let the intruder up the ante on E, N and eventually B.)

N and B also share at least one (likely precisely one) user, and it’s not at all unlikely that this was the vector through which B (and, transitively, one additional machine) was compromised.

This wouldn’t be all that bad, as These Things Do Happen, and I could have certainly done a better job of keeping B‘s update, well, up-to-date, but it turns out that E‘s administrators knew quite some time before the N {->} B attack that they had this problem, and didn’t bother to tell people. A-frigging-hem. Given that the N {->} B user is conscientious about such things to a fault, and generally the sort of responsible user that every system administrator would like to clone throughout his or her @shadow@ file, it seems not unlikely that we’d have at least discovered the intrusion on B earlier, and quite possibly avoided it in the first place. Alas.

B is pretty sad about the whole thing, apparently, because it just killed another drive in its angst:

@hdc: dma_intr: error=0×40 { UncorrectableError }, LBAsect=120582, high=0, low=120582, sector=120582@

Yay! More drive shopping!

(Further: the “User In Question”:http://neon.polkaroo.net/~mhoye/blarg/ should not be “beating himself up”:http://neon.polkaroo.net/~mhoye/blarg/archives/001863.html about this at all. Stop it right now.)

2 comments to “chain of causality”

  1. Mike Hoye
    entered 29 February 2004 @ 5:25 pm

    I’m going to beat on somebody for this. And, if not myself, I know precisely who’s next in line.

  2. Mike Hoye
    entered 1 March 2004 @ 4:41 pm

    P.S: You wouldn’t believe the conversations I’ve been having about this with people here. If I wasn’t so angry, they’d be a comedy goldmine.