[parisc-linux] puffin cracked, Action Required

Paul Bame bame@riverrock.org
Sun, 30 Dec 2001 12:55:34 -0700

On Dec 18 puffin.external.hp.com was removed from service because
it had been compromised.  We knew this was possible (RH 5.2) which
is why we moved all services off of puffin.

Baddies definitely have the password file, so if you used the
same password on puffin as elsewhere you should probably change it,
and especially if 'crack' can guess it.

Baddies also trojaned ssh, so if you used ssh *from* pehc *to* another
machine, whatever credentials you used may have been stolen -- whether
that's the password to the remote machine or the pass phrase to your
secret key stored on pehc.  So if you ssh-ed *from* pehc you should
change the credentials you used.  Those of you whose ssh credentials
were recorded in the trojan's "jackpot" file have long since been
contacted and you've taken action -- you have haven't you?!

It would be a good idea to check for evidence of intrusion on
any machines where stolen credentials could be used.

If you need to recover some of your files from pehc please contact
me with the specifics, or taggart@fc.hp.com from Jan 4-18.