As many users will have noticed, the Informatics SSH server ‘dunlin’ was unavailable from the morning of Thursday 26th July until the afternoon of Tuesday 31st July. This was because the root account on the system was compromised and an attempt was made to insert a rootkit into the kernel.
The configuration of this system meant that attempts to infiltrate the kernel were unsuccessful and we are confident that no passwords or other sensitive data were acquired by the attacker. The attack did cause the machine to crash, our procedures for handling crashes led to us spotting the system compromise very quickly.
A thorough investigation of the incident was carried out which allowed us to rapidly identify the account which had been used to gain access and get the password changed so that the attack could not continue against other servers. We were also able to identify the method in which privilege escalation was achieved. We have since applied a security fix to all DICE machines and they have been rebooted to ensure the same method cannot be used again.