I’d like to talk about Ultimate, and how Coop’s team beat us the other night and how he’s a crafty player, but it’s been a bad few days, so I’m going to talk about that instead.
In light of Shaver’s Surprise Guest Administrator incident, I took a good hard look at the Nexus project, and, lo and behold, we’re hosed. Nexus, and four other machines on campus, have been compromised. So my days have recently looked a lot like I suspect his did, go buy new drives, do the reinstalls and then spend time I don’t really have doing forensic work on the old drive to figure out what else has gone wrong.
Boy, had things ever gone wrong. It’s not completely clear which way the plague spread, but a naive comparison of dates between bitchcake and nexus seems to show that nexus was compromised first. Either way, my account was the infection vector.
From what we can tell, the compromised machines had been set up to run IRC bots, presumably for a denial-of-service attack at some point in the future, or just as part of some script-kiddie-related penis-size contest. We haven’t got that far yet; I’ve been busy fighting on-campus fires and helping Shawn reinstall Debian on the afflicted machines. We’ve tracked the person responsible to, apparently, Romania, via some IRC-related sleuthing, and developed what appears to be a reasonably good protocol for preventing this from happening in the future.
The “Romania” thing really disappoints me, because I had really hoped that I’d be able to hold this person’s throat in my hands. Ever seen that bit in Pulp Fiction where Vincent Vega’s talking about how is car got keyed? It would have been worth it, if I could have just caught him doing it.
We also found an incredible list of other compromised machines in the logs.
I’ve contacted all the people on campus and on our subnet who were on the list. I’m really not sure what else I can do, aside from battening down the hatches and trying to keep it from happening again, but I have this list of maybe four hundred compromised machines here from all over the world and I’m not sure what to do with it. About half of them end in “undernet.org”, though, and I know exactly what I’m going to do about those.
Update: As it stands, the evidence is that the spread of the infection went from Engsoc here at Carleton to Nexus, and from there to Bitchcake. And it gets better: apparently the people at Engsoc knew about a break-in back in the middle of January, and didn’t tell anyone.
Shaver was actually apologizing to me about this. I’m going to have to clear that up with him, and maybe beg forgiveness while I’m at it.
After I find somebody appropriate at Engsoc, bite their goddamned arm off and pound them down with it.