Recovering from a break-in on your system

• You cannot trust that your machine is not riddled with hacker-installed back doors, sniffers, etc. You must completely re-install your system from known-to-be-good media, preferably a read-only CD. Then go to the CERT web site and check for any vendor advisories concerning your version of the operating system, and apply all relevant patches. This may be time-consuming! But if you don't follow through completely, you will probably waste your time. Half-efforts are quite often not useful.

• All users of the affected system must change their passwords. (Really!) And they must use a "good" password, like "7Yapp%ZZ". "catdog" isn't a good password.

• Users should not make connections into or out of that machine, such that their password is sent in the clear. "Kerberized" telnets only. (note that we do not currently have a kerberized ftp available. Stock ftp will send your password in the clear)

• We generally advise people to expend effort making their machines secure, rather than tracking break-ins. Break-ins usually just lead back to another cracked machine, and you're not really any farther along. It is good to notify other system administrators, if you can easily identify them, so that they too can correct problems. Any log files found on a compromised machine may be of interest to MIT Network Operations: contact network@mit.edu if you have questions. Always assume that your traffic is being sniffed (because it probably is), and act to make your machine secure.

Start with the README.athena file. This readme assumes you are installing on an Athena workstation, but if you read on through it, you should get the idea of what needs to be done. You will need to get a srvtab for each of the machines.

Telnet clients for the Mac and PC are also available. This is I/S-supported software.