ET 5 SR 09 21 2812 SW FEDERAL BUREAU OF INVESTIGATION Precedence PRIORITY Date 03 04 1998 To Attn SSAI 11887 From Sacramento WCC Squad 5 b6 Contact I b7c Approved I ma a Ban mah 7 Case ID #iU31 Pending cuu a XvOMPending TitledT-Ti Sq SOLAR CITA Synopsisiui Information possibly pertaining to intrusions into DOD Domain Name Servers using the statd exploit on Solarus 2 4 operating systems U3 $0 Reference iUK HQ EGS dated 2 9 98 and 2 12 98 Enclosuresm y381 Enclosed for are the following 1 22 pages of logs provided by University of California-Davis 2 3 logs provided by the University of Colorado Boulder gag 05f ffnf 7 0 Detailsim On Computer Security Analyst Information Resources Division of Information b5 Technology University of California 1 Shields Avenue Davis b7c California 95616 telephone I Iadvised all 17 000 computers in the University of California-Davis UCD network have been attacked between 1 25 98 and 1 28 98 Page 6 of enclosure 1 UCD Incident Response Team UCDIRT notice #63 identified the initial probes as originating from netgate saes com The initial attack lasted almost twenty- four hours Three UCD hosts ging ucd edu wt UPLOADED To From Sacramento Re 288-HQ-1242550 03 04 1998 I junior itd ucdavis edu and guardian ucdavis edu had TCP connections to other services during the attack The Sun remote procedure connections from saes com were the only ones logged in for that week Saes com was registered to St Andrews School Bethesda Maryland I Iwas identified as the technical contact WI C31 In the opinion UCDIRT leader this attack was probably used to generate a list of hosts running statd The statd systems were then hit from computers located at Harvard University and Columbia University Pages 7 through 10 of enclosure 1 identify the two computers at Harvard and Columbia as scotia harvard edu and bone tc columbia edu Three hosts were intruded The compromised computers were running Solaris 2 4 Iutigj I Iwas the administrator for one of the compromised hosts in the Geology Department After replacing Solaris 2 4 with Solaris 2 5 1 examined logs from January 17 and 18 1998 I Idiscovered another statd attack On-January 18 1998 the intruder gained root access The origin of the attack appeared to be I Pages 4 and 5 of enclosure 1 represent examples of the statd attacks which occurred on January 17 and 18 I IAssociate Professor Department 0 Computer Science reviewed 10 and discovered imapd probes during January 18 1998 fromI Page 3 of enclosure 1 is addendum to UCDIRT notice #63 According to imapd programs serve the same purpose as statdijprograms at is port mapping ldkewise another UCD reviewed logs and discovered additional attempted imap pro es as early as November 18 1997 The origin of these imapd probes appeared to beI Pages 1 and 2 of enclosure 1 is addendum to UCDIRT notice #63 m 233 Sacramento provided relevant UCD logs to the following I Columbia University I administrator for bone tc columbia edu Harvard University 2 b6 A I amaze To From Sacramento 03 04 1998 for scotia harvard edu Andrews I I administrator for netgate saes com Win I Iprovided pages 18 19 and 20 of enclosure noted SAI IFBI Cleveland had also re uested this information SAI was contacted confirmed he was aware of Co iaks information and had traced the intruder to in SAI was preparing to serve a search warrant on the subscriber SAI was also advised the had successfully penetrated the UCD computer used for campus events and visitor services had created a directory called home meta and a password entry name ofl According to this was the leitmotiv of his intruder Pa es 15 16 and 17'of enclosure 1 were provided to SAI i UP Harvard University advised he had no logs or scotia harvard edu St Andrews likewise advised he had no logs for net ate saes com However added he had been contacted University of b6 Colorado Boulder b C Bil Universit of Colorado Boulder I provided enclosure 2 advised his network had been the target of a statd probe from netgate saes com computerl I The three compromised University of Colorado machines were all running Solaris On 2 26 98 UCD Computer Security Analyst was asked if the University had any indication their UCD machines had been used to launch flood attacks on any other computer networks they had received a few complaints concerning some internet relay channels which had been flooded but nothing else On the other out the UCD com uters logged only TCP telnet connections not believe UCD Administrators would be aware of any ping attacks launched from their networks added UCD Administrators could track something other than standard TCP Telnet connections only if the suspect activity occurred coincident with the tracking Utigb Sacramento is attempting to identify the subscriber who launched the statd probes from 3 To MT From Sacramento 03 04 1998 00 left to the discretion of Any other leads will be