Cory Altheide, a handler, originally posted this on the Internet Storm Center site and gave ComputerWorld Canada permission to print an edited version of the account.
It was the first night Bob, a security analyst, was going to spend a night alone in his company’s security operations centre (SOC). The ISP Bob works for had just ramped up to 24/7 operations the week before.
Before leaving, Bob’s colleague Carol had mentioned a general “weirdness” in the DMZ traffic. Bob started poring over the output of his earlier queries to see if he could figure out the cause of this weirdness. Suddenly, he saw it: a new host in the DMZ — one that had apparently come up at the stroke of midnight.
After he looked up the latest network diagrams for the DMZ, he found no authorization for a new box. Bob scanned the box to see how risky the situation was. A quick map returned the results:
“Remote operating system guess: Linux 2.0.35-37.”
He wondered whether this was some sort of prank. He typed “root” and the box retorted with “Password:”
He reiterated, “root”.
[root@zion root]#
That’s when Bob realized it wasn’t a joke. This was a real box, and he needed to find out who it belonged to.
He listed the contents of /home, and was rewarded with a litany of names he didn’t recognize. The one with the most recent activity was “tanderson,” and the “w” command showed that root and tanderson were logged in. It also showed that the box had been up for close to 12 days, and that tanderson had logged in on October 18th, 1999. The “date” command confirmed it: the system was also set to a date in 1999.
After Googling for a bit, he discovered the “write” command and typed the following: [root@zion root]# write tanderson tty1 It was time to question his suspect.
“What’s up with this box?” Bob typed.
tanderson@zion replied, “What? Who are you?”
“I’m root, who are you?” Bob wrote back.
“Look, I don’t know if your a hacker or whatever but please don’t hack my computer right now. I need to finish my work.”
“You look. You bring a Swiss cheese box up on my DMZ and it’s my problem. What the hell are you doing?”
“Hey, pal, I don’t want to fight. I just want to finish this project, OK? I’m on a deadline…”
“Sorry dude, but your deadline ain’t my problem. This box is going to have to come down immediately — it’s too risky to leave up.”
Bob stared at the screen, terrified. The beeping of his calculator watch broke his trance. It was midnight.
“Connection closed by foreign host.”
He scooped up the phone and dialed Ted, the night sys admin.
“Hey Bob, what can I do ya for?”
“Do you know anything about a box named ‘zion’ in the DMZ?”
“Our DMZ?”
“Bob, there’s nothing at that IP,” Ted said.
Bob quickly pinged it, and attempted to telnet in again. Ted was right, the box was down.
“It … it was just up. I telnetted right in, it was a Red Hat 5.2 box, and a user named ‘tanderson’ was logged in …”
“Tanderson? Are you sure?”
“Yes, I’m positive. He kept yammering about finishing his project,” Bob said.
“Bob, Thomas Anderson was downsized back in ‘99. He was working on moving all of our NT servers to Linux, but he never got to finish.
“Bob, that server’s been down for five years.”
Bob’s friends say he can’t bring himself to go back to the SOC anymore, and he’s looking for telecommuting jobs on Monster.
Quick Link: 050025
