The bombardment of Usenet news servers across the Internet that began Saturday continued Tuesday, and while a student at Rice University had been identified in connection with the attacks, it was not yet known whether this was a prank or if the attacker had malicious intent.
The machines were attacked via a well-known hole in the interpretation of Usenet control messages, which normally send information to individual news servers. The hole exploited a bug in popular news server software that allowed the messages to contain commands to be executed on the news server machine.
Though the hole is a known bug with a published fix, a great deal of machines have been compromised. Many Usenet administrators may still be unaware of the problem. CERT, the Computer Emergency Response Team, issued a special bulletin Tuesday to reach more administrators.
"At this time [Monday], 40 sites were known to have been compromised," said CERT's Terence McGillen. "As of [Tuesday], that number is up to 130. Right now, the CERT team is working in real time with administrators at the affected sites. As the days go on this week, we'll post updates as to the activity - it may die down, or it may not."
McGillen was reluctant to speculate on the identity of the perpetrator. "We don't focus on that," he said. "We're not concerned in who the intruders were - just in the means they used to attack the sites."
The attack emailed a machine's encrypted password file and other sensitive information to a remote address - one of which had been an obviously hacked account at Rice University in Houston, Texas.
Officials at Rice University said they had found their man. "We do know who it is and will be taking appropriate steps," said Kathryn Costello, a university vice president. "We caught him thanks to all of the security measures we had implemented - it was a good test case for us, actually. We knew what terminal he was working at and were able to quickly identify him." His name has not been released.
"The Rice news server was the point of attack," Costello said. "This could not have affected other university data because it is a standalone system kept separate from the rest of our computing facilities," she said.
There has been no reported further compromise to these systems as a result of attack, but some administrators tested the security hole in question, causing more of the system-cracking control messages to be broadcast to all of Usenet's servers.
One of those additional messages was possibly from another "real" attacker, said David C. Lawrence, the news administrator whose email identity was spoofed by the cracker.
"[While] several later attacks were really administrators who let their well-meaning tests escape to the world, a couple of attacks have not yet been classified; at least one of them looks more like a real copycat attack than an innocent mistake."
In order to gain unauthorized access to any of the attacked systems, the cracker would first have to run software to break the password information. So far, no administrators are aware of any such further compromise on their systems.
"I have talked to several dozen sites at this point, well over a hundred," said Lawrence. "None have yet reported any additional compromise stemming from this attack. A significant factor in this is that the password file delivery destination machines in the original attack - two hosts in IBM Sweden's network - were unreachable from pretty much the time that the attack began," he said.
Speaking of the possible copycat attack, Lawrence said it was too early to speculate whether the person would receive anything he could use before being nabbed, anyway. "First he has to break some passwords, then he has to contact the machine that has the account for the broken password, if he can get past their firewall and any additional security guards in place," he said.
Things could have been worse. While these attacks seem to be just mailing a copy of the password file to an outside email address - presumably to be later cracked with brute force - virtually any system command could be performed, including the erasing of system data. This is clearly a serious hole.
"It was characterized as an attack on the infrastructure, which I would say is serious," said McGillen. "This problem has been around for a while, it's just that [network administrators at these sites] are swamped with work. We don't expect this to go away overnight."
