Date: Thu, 11 Dec 1997 23:00:26 -0800 From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> To: freebsd-security@freebsd.org Cc: security-officer@freebsd.org Subject: Re: Yahoo hacked Message-ID: <199712120700.XAA12938@cwsys.cwsent.com>
next in thread | raw e-mail | index | archive | help
Enclosed is a posting by Aleph One to BUGTRAQ.
Considering that a weak password may have contributed to the hack, if the
account had access to their Web pages, a root compromise may have not occured.
Having said that, the first rule of investigating a compromise is to assume
that root had been compromised, until it can be proven otherwise.
I don't think this is the time to panic. I'm sure that someone in the core
team has already spoken to the Yahoo security officer to find out more and to
offer assistance. That's probably the quickest way they will be able to get
enough information about the breakin to determine whether a FreeBSD bug had
contributed to the breakin.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
UNIX Support OV/VM: BCSC02(CSCHUBER)
ITSD BITNET: CSCHUBER@BCSC02.BITNET
Government of BC Internet: cschuber@uumail.gov.bc.ca
Cy.Schubert@gems8.gov.bc.ca
"Quit spooling around, JES do it."
------- Forwarded Message
Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id
UAA09994 for <cy@passer.osg.gov.bc.ca>; Wed, 10 Dec 1997 20:32:47 -0800 (PST)
X-UIDL: 881850684.021
Resent-Message-Id: <199712110432.UAA09994@passer.osg.gov.bc.ca>
Received: from localhost(127.0.0.1), claiming to be "passer.osg.gov.bc.ca"
via SMTP by localhost, id smtpdaaCmha; Wed Dec 10 20:32:38 1997
Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id
UAA02173 for <cschuber@passer.osg.gov.bc.ca>; Wed, 10 Dec 1997 20:32:27 -0800
(PST)
Received: from orca.gov.bc.ca(142.32.102.25)
via SMTP by passer.osg.gov.bc.ca, id smtpdaacCoa; Wed Dec 10 20:32:17 1997
Received: from brimstone.netspace.org by orca.gov.bc.ca (5.4R3.10/200.1.1.4)
id AA10772; Wed, 10 Dec 1997 20:32:10 -0800
Received: from unknown@netspace.org (port 38928 [128.148.157.6]) by
brimstone.netspace.org with ESMTP id <69868-6243>; Wed, 10 Dec 1997 22:59:05
-0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
spool id 6098196 for BUGTRAQ@NETSPACE.ORG; Wed, 10 Dec 1997 22:55:34
-0500
Received: from brimstone.netspace.org (brimstone.netspace.org
[128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
WAA29637 for <BUGTRAQ@NETSPACE.ORG>; Wed, 10 Dec 1997 22:54:12 -0500
Received: from unknown@netspace.org (port 38928 [128.148.157.6]) by
brimstone.netspace.org with ESMTP id <1668-6242>; Wed, 10 Dec 1997
22:54:11 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from dfw.dfw.net (dfw.dfw.net [198.175.15.10]) by netspace.org
(8.8.7/8.8.2) with SMTP id WAA29188 for <bugtraq@netspace.org>; Wed,
10 Dec 1997 22:50:50 -0500
Received: from localhost by dfw.dfw.net (4.1/SMI-4.1) id AA10771; Wed, 10 Dec
97 21:50:52 CST
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.SUN.3.94.971210212410.5437E-100000@dfw.dfw.net>
Date: Wed, 10 Dec 1997 21:50:52 -0600
Reply-To: Aleph One <aleph1@dfw.net>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: Aleph One <aleph1@dfw.net>
Subject: Re: Yahoo hacked
To: BUGTRAQ@netspace.org
Resent-To: cy@passer.osg.gov.bc.ca
Resent-Date: Wed, 10 Dec 1997 20:32:27 -0800
Resent-From: Cy Schubert - ITSD Open Systems Group
<cschuber@passer.osg.gov.bc.ca>
Here are some more rumors.
It was not DNS related. It seems Yahoo uses a system where different
web browsers are sent to different web servers. Thats why only lynx users
(and maybe users of very old version versions of Netscape) saw the page.
Only the lynx server was affected.
The boxes affected where located in the GlobalCenter data center. They
provide web hosting for Yahoo (and some other very large web sites).
My informant claims that the attack actually came from behind the
firewall via a dialup modem. He claimed that password to a users account
on the machines had been compromissed.
After the web page was modified all types of automatic bells and
whistles went off and they restored from backup in fifteen minutes.
You can view a copy of the hacked homepage at
http://www.clipper.net/~skully/yahoo/
Notice that the page had a link to
http://www.yahoo.com/yahooz-el8-search-engine-src.zip
Wonder it the source code for yahoo's search engine was really
there and if anyone got to download it ;)
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
------- End of Forwarded Message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199712120700.XAA12938>