A news posting which allowed hackers to penetrate thousands of Usenet news servers over the weekend may still be being propagated on news servers around the world. The hackers posted a Usenet message that contained a list of executables, or computer commands, telling the servers to post information to outside servers.
That information may allow attackers them break into ISP networks and gain access to personal email and other sensitive information, according to Matt Power, a post-doctoral associate involved in network security at MIT. Information including the server password file, computer system name and manufacturer was sent to a list of the users who were logged in at the time and the network configuration file was sent to Rice University in Texas, the IBM Network in Sweden and a German ISP called DVZ M-V GmbH.
Power points out that these destination addresses may be an attempt to deflect suspicion from the real hackers.
"We know that the destination addresses are roughly the same as the sources of the Usenet message," he says. "But hackers who are clever enough to do this are also clever enough to cover their tracks."
Power's major concern is that other hackers may attempt to create copycat attacks by simply copying the message and posting that to other news groups. It is possible that government agencies and institutions in the US have sent out information that will enable them to be hacked, he says.
Basically any server not running InterNetNews Version 1.5.1 from the Internet Software Consortium (ISC) (http://www.isc.org/) is vulnerable. This amounts to thousands of servers in the US and Canada, according to analysts.
The FBI's high-tech Squads in San Francisco, Washington, D.C., and New York are currently looking into the matter, according to George Grotz, spokesman for the FBI in San Jose, California.
Computer Emergency Response Team (CERT) officials saythey were alerted over the weekend about the security breach by a number of ISPs, and will be providing an advisory in today's CERT newsletter which can be found at ftp://info.cert.org/pub/cert_advisories/.
CERT is based at the Carnegie Mellon University Pittsburgh, and can be contacted at +1-412-268-7090 and on the World Wide Web at http://www.cert.org/.