Home > News > Security incident on L&S web server

Security incident on L&S web server

• What we do
• Who we are
• Rates and contracts
• Advice and how-to
• Computing policies
• Contact us
• News

See also:

by Tom Holub

Many of you may have noticed that your web site was down for most of the afternoon of Tuesday, 7/25. A few of you also noticed that your home page had been defaced. This is apparently the result of a concerted effort by a particular group of hackers to deface web sites around the world; we're seeing evidence of various sites in Israel, India, Chile, and the Red Cross, defaced with the same message.

We had been monitoring hacker activity over the preceding few days, but had not been able to confirm a compromise until today. Fortunately, because of our precautions we discovered the problem within a few minutes, and immediately shut down the web server (at about 2:00 PM on that day).

The intruders replaced all files named index.html or index.htm with their hacked version. We were able to restore all of these from last night's backups; any changes you made to index files on Tuesday during the day may have been lost. Please mail sysadmin@LS.Berkeley.EDU if you notice anything else missing or altered.

In addition to altering files, the intruders captured the passwords of a number of our users. We have temporarily disabled the accounts of anyone whose account was compromised; please contact sysadmin@LS.Berkeley.EDU if you are unable to access your account. Also, if there are any other accounts where you use the same password, you should change your password on those systems, as well.

After forensic examination, we were able to identify the security problem, which was related to a hole in the Linux kernel; we had installed the patch previously, but we had not rebooted the machine, so we were still vulnerable. We've located the script the hackers used to gain access to the machine, and have verified that our machine is no longer vulnerable to this exploit. However, it appears that this attack is part of a larger pattern; there are other machines on campus displaying similar problems, and we may be subject to additional attacks on our web server now that it is clean. I assure you that we will take every possible precaution to keep your sites and your data secure.

The web server is now back up and running; we will continue monitoring for security problems, but we do not at this time anticipate further downtime or problems for your web sites.

Please let me know if you have any questions.