[gu-l] Terrible experiences with hacker and verus
Tak Utsumi
utsumi@columbia.edu
Wed, 28 Feb 2001 03:22:05 +0000 (GMT)
<<February 27, 2001>>
Archived distributions can be retrieved as clicking top lines of our home
page at <http://www.friends-partners.org/GLOSAS/>.
Shahab Khan <Afroz@khi.compol.com>
Effie Dracopoulos Boikos <boikos@sympatico.ca>
Greg Cole, Ph.D. <gcole@solar.rtd.utk.edu>
Steve McCarty <steve@kagawa-jc.ac.jp>
Christine Maxwell <maxwell@isoc.org>
Vincent Cerf, Ph.D. <vcerf@mci.net>
P. Tapio Varis, Ph.D, Professor <tapio.varis@uta.fi>
Xin DING <yys@crtvu.edu.cn>
Daing Zaidah IBRAHIM <daingz@unitarklj1.edu.my>
Dear Shahab and Effie:
======================
(1) Many thanks for your msg (ATTACHMENT I and II).
Dear E-Colleagues:
==================
I am so sorry for my absence since 2/3rd.
The server computer of the Friends-Partners.org at the University of
Tennessee at Knoxville (UTK) was attacked by a hacker and got a
serious damage (ATTACHMENT VII).
Greg Cole frantically worked on its repair and finally fixed it.
Dear Greg:
==========
Many, many thanks for your effort!!
Dear E-Colleagues:
==================
If you run a server, pls watch a similar trouble as Greg's.
There is a group of hackers who attacks unsecured servers
deliberately (ATTACHMENT VI).
(2) Greg took the advantage of this opportunity to convert our listserve
to a web-based Mailman system <http://www.list.org/>.
I strongly suggest that you should visit this web and study its new
features.
Dear Steve:
===========
Pls do so -- so that your management of our web may need some
revision.
You may then visit the following web;
http://www.friends-partners.org/mailman/listinfo.cgi
You can click your list group there to read general configuration of
your list.
Dear Christine:
===============
(3) Many thanks for your msg (ATTACHMENT III) with kind words, in response
to my previous list distribution Report on Dr. Utsumi's visit to
UNESCO/Paris on 1/12 - January 25, 2001 which can now be retrieved at;
http://www.friends-partners.org/utsumi/gu-l/early-2001/1-25-a.html
I would greatly appreciate your offer of using your LYRIS for our list
distribution. In light of the current incidence we had at the UTK as
mentioned above, it might be a good idea to have a second server for
our list, at least, as a back-up. Pls kindly inform me of the URL of
your LYRIS for my study.
We once had a quarterly e-publication, GLOSAS NEWS, which
summarized our activities -- see
<http://library.fortlewis.edu/~instruct/glosas/cont.htm>. It is
now ceased due to the lack of volunteer editors.
Dear E-Colleagues:
==================
Any volunteers to resurrect it?
Dear Vint:
==========
(4) Around the same time I received Christine's msg, I also received many
bounced msgs from your correct address which were not downloaded for
almost 500 days.
Your system must have had some trouble to hiccups and spew out them.
Dear E-Colleagues:
==================
(5) During our attendance at the InfoDay of the European Commission in
Luxembourg, Tapio told me his horrible story when he got a virus and
lost many files in his hard disk of his Microsoft Window machine.
(6) On the other hand, I use Apple Macintosh machine. Since Mac's market
share is small, hackers do not dare to produce virus much for Mac
except a few instances (ATTACHMENT IV).
However, in order to cope with files produced with the Window
operating system, I use Virtual PC on my Mac.
(7) When I received a msg from Prof. Xin DING who attended the annual
conference of the Asian Association of Open Universities (AAOU) in
Manila last October with me, I tried to open the attached file
Navidad.exe on the Virtual PC, even though the msg did not say
anything about the attachment -- I received the same msg three times.
I then found the hard disk of the Virtual PC was totally crashed and
had to spend a few days to re-install it.
Dear Ding:
==========
Pls inform me what the Navidad.exe was.
Dear Daing:
============
(8) It was my great pleasure to have attended the AAOU conference with
you, too.
Many thanks for your msgs -- with the attached file Emanuel.exe" --
which were sent to me in reply format to my previous list
distributions (almost 60 of them!!) None of them did say anything
about the attachment.
Because of my terrible experience with the attached file sent from
Prof. Xin Ding, I haven't opened your attachment file yet. Pls send
me your email msg in plain ASCII text format telling what the file is.
I will then open it and reply to you.
Best, Tak
****************************************
ATTACHMENT I
From: "shahab khan" <afroz@planwel.edu>
To: "Tak" <utsumi@columbia.edu>
Subject: PROBLEM IN SERVER
Date: Tue, 13 Feb 2001 22:02:57 +0500
Dear Tak
I an having problems in accessing the Global University
URLhttp://www.friendspartners.org/GLOSAS/
since a couple of days. I am not sure where the problem lies. I need to
access the sites in order to get information to prepare the introduction
on the GUS and GSTF for the Minsiter. Kindly also provide me the
pointers form where I will get related information for the proposal.
Regards
Shahab Khan, Director
****************************************
ATTACHMENT II
Date: Sun, 25 Feb 2001 10:38:42 -0500
From: Effie & Bob Boikos <boikos@sympatico.ca>
To: Takeshi Utsumi <utsumi@friends-partners.org>
Subject: email news
Hello, Dr.Utsumi,
I was just wondering whether I am still on your mailing list because I
haven't received anything from you in a while. I find your news and that of
the e-colleagues very interesting and helpful in my own research.
I'm looking forward to hearing from you soon.
Effie Dracopoulos-Boikos
Montreal, Canada
****************************************
ATTACHMENT III
Date: Fri, 2 Feb 2001 09:56:21 +0100
To: Tak Utsumi <utsumi@friends-partners.org>
From: Christine Maxwell <maxwell@chiliad.co.uk>
Subject: Re: Wanting to talk with you regarding a proposition for your
wonderful List....
Hello:
I do not know where you are based - I am in Aix en Provence in France. I am a
trustee of the Internet Society and Chairman of its Internet Societal Task
Force. This GU-L list is one of my most preferred because it is so
collaborative and professional and so full of wonderful information. A big
thank you from me for your wonderful leadership in this regard.
I would like to talk to you about my wanting to invite the list the
opportunity to be hosted on my private LYRIS list server - which would enable
the threads to be followed very easily etc etc.
The Internet Society uses Lyris and I can't tell you how wonderful it has
been to have this kind of automated process -
Anyway, I would much appreciate a moment of your time to discuss this
possibility with you. I hope you may think this might be of benefit to your
list.
The only other list running on this server is one I run for my mother called
"Remembering for the Future" (the Holocaust in an age of Genocides)....
I choose to receive this list in digest mode - an example of which is
attached below>.....
Lyris is one of the most sophisticated mailing list servers today because of
its high degree of automation and choice for list users etc ...
Anyway, I do look forward to hearing from you.
Kind regards,
Christine Maxwell.
========================================
Delivered-To: chiliad-maxwell@chiliad.co.uk
Date: Sat, 20 Jan 2001 00:00:08 -0500
Subject: rftf2000-discuss digest: January 19, 2001
To: "rftf2000-discuss digest recipients" <rftf2000-discuss@sparky.listmoms.net>
From: "RFTF2000 Discussion List digest" <rftf2000-discuss@sparky.listmoms.net>
RFTF2000-DISCUSS Digest for Friday, January 19, 2001.
1. new members for US Holocaust Memorial Council
----------------------------------------------------------------------
Subject: new members for US Holocaust Memorial Council
From: Brenninstitute@aol.com
Date: Fri, 19 Jan 2001 09:03:45 EST
X-Message-Number: 1
Members of the Holocaust council are:
Poet Maya Angelou of Winston-Salem, N.C.
Edgar M. Bronfman Sr. of New York City, president of the World Jewish
Congress and the World Jewish Restitution Organization and chairman of the
Foundation for Jewish Campus Life.
Gila Bronner of Chicago, president and CEO of Bronner Group L.L.C., an
Internet and computer training and organization change consulting firm.
Norman Brownstein of Englewood, Colo., chairman of Brownstein Hyatt & Farber,
recently named by the National Law Journal as one of the 100 most influential
lawyers in America.
Deputy Treasury Secretary Stuart E. Eizenstat of Chevy Chase, Md.
William H. Gray III of Vienna, Va., president and CEO of The College
Fund/UNCF.
Myron Cherry of Chicago Ill., founder of Cherry & Flynn, a law firm
specializing in civil litigation.
Retired Sen. Frank R. Lautenberg of Cliffside Park, N.J.
-Ruth B. Mandel of Princeton, N.J., director of the Eagleton Institute of
Politics and Board of Governors Professor of Politics at Rutgers University.
Harvey M. Meyerhoff of Baltimore, chairman of Magna Holdings Inc. and
chairman emeritus of the U.S. Holocaust Memorial Council.
Set Charles Momjian of Huntingdon Valley, Pa., vice chairman of the Ellis
Island Restoration Commission and founding member of the President Carter
Library and Study Center.
Nathan Shapell of Beverly Hills, Calif., chairman and CEO of Shapell
Industries Inc., a diversified financial and real estate development firm.
Elie Wiesel of New York City, Andrew W. Mellon professor in the Humanities at
Boston University.
Karen B. Winnick of Los Angeles, Calif., author and illustrator of children's
books, including ``Mr. Lincoln's Whiskers'' and ``Sybil's Night Ride.''
---
END OF DIGEST
****************************************
ATTACHMENT IV
Excerpt from
ABCNEWS.com
January 19, 2001
The Melissa virus is back. (ABCNEWS.com)
Melissa Takes on the Mac
Outbreak Detected on New Word 2001
By Sascha Segan
Jan. 19 A new version of the famed Melissa virus is spreading, using
Macintosh computers to cloak itself, antivirus companies said.
The virus is evading antiviral radar because antivirus companies hadn't
updated their software to deal with Mac Word 2001 files, which have been
around since October. There are so few viruses on the Mac that it just wasn't
a priority, said Graham Cluley of Sophos.
"Most antivirus companies were just about getting round to it now," he said.
The virus has hit 10 of antivirus company Symantec's major corporate clients,
said Eric Chien, head researcher at Symantec's antiviral research lab in the
Netherlands. Antiviral company F-Secure said it has hit "dozens" of their
clients.
"It seems that this virus might become very widespread rapidly," F-Secure
said in a statement.
Chien said the virus hasn't gotten very far but if companies don't update
their antivirus software, it could spread.
The Melissa virus clogs up networks by sending Word documents out to the
first 50 people in a user's Microsoft Outlook address book. Under certain
circumstances, it also inserts a Bart Simpson quote into infected users' Word
documents.
The subject line of the Melissa e-mail is "Important message from
[username]." The body of the document in the e-mail says, "here is the
document you asked for don't show anyone else." The document is called
anniv.doc.
Cross-Platform Threat
The outbreak started on Macs, but the real threat comes when it spreads to
PCs, antivirus experts said.
Apple has only five percent of the PC market, and the virus can't hook into
Mac e-mail programs. But the virus can spread itself to infect all of the
Word documents opened on an individual Mac with Word 98 or Word 2001. If an
Apple user shares an infected file with a Microsoft Office 97 or 2000 user on
a PC, the virus will activate on the PC and send out its usual barrage of
messages.
The virus will then spread from PC to PC, sending out copies of the original
Mac Word 2001 file openable by PC Word, but not detectable by most
antivirus software.
Antivirus programs have two parts: the main body of the program, called the
engine, has instructions on how to open different kinds of files, and the
data file explains what various viruses look like. Most antiviral program
updates involve only data files, Cluley said. Users will have to update the
engines a much longer download to deal with this new threat.
Major antivirus vendors including Symantec, Sophos, Network Associates and F-Secure have downloadable updates for this new virus strain.
Unintentional Mutation
The new version of the virus was probably an unintended mutation, Cluley
said.
Mac Word 2001 can open PC files and automatically resaves them into its own
format. An innocent Mac user probably opened a Melissa-infected file obtained
from a PC-using friend and resaved it in the Mac format, cloaking the
familiar virus code in the new Mac garb, he said.
Melissa is written as a Word macro, a set of instructions that's built into a
Word document that can control Microsoft Office.
PC owners can protect themselves by going to their Tools menu, choosing Macro
and then Security, and setting their macro security to High, Chien said. This
blocks "unsigned" macros not written by the computer's owner. Mac users have
less protection: by going to the Edit menu and choosing Preferences, General,
and Macro Virus Protection, they can have Word alert them when a document has
macros in it.
Home users should generally reject all macros, and corporate users should
only run macros approved by administrators, Chien said.
Melissa infected millions of computers in March 1999. David L. Smith, 30,
pled guilty in December 1999 to causing more than $80 million in damages
through computer theft and sending a damaging computer program. He has not
yet been sentenced.
****************************************
ATTACHMENT V
Date: Mon, 11 Dec 2000 23:14:33 -0500
From: "yys" <yys@crtvu.edu.cn>
To: utsumi@friends-partners.org
Subject: Dr. Sharma's paper on "Role of Youth in Promoting Peace"
This is a multi-part message in MIME format.
------=_NextPart_000_002A_01C06429.1795BDA0
Content-Type: text/plain;
charset="gb2312"
Content-Transfer-Encoding: 7bit
This message uses a character set that is not supported by the Internet
Service. To view the original message content, open the attached
message. If the text doesn't display correctly, save the attachment to
disk, and then open it using a viewer that can display the original
character set. <<message.txt>>
------=_NextPart_000_002A_01C06429.1795BDA0
Content-Type: application/x-msdownload;
name="Navidad.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="Navidad.exe"
****************************************
ATTACHMENT VI
Excerpt from
http://news.cnet.com/news/0-1003-200-4850647.html?tag=st.ne.1003.saslnk.saseml
"Sm0ked" vandals say more attacks to come
By Cecily Barnes
Staff Writer, CNET News.com
February 16, 2001, 5:20 p.m. PT
update A well-known hole in Microsoft's Web server software lets
vandals easily access parts of Web sites belonging to big names such as The
New York Times, Intel and Compaq Computer, one cybergang member said Friday.
Calling himself "The-Rev," the vandal said his duo known as Sm0ked Crew
targets Web sites that haven't been adequately secured.
"Sm0ked Crew's aim is to show how even top domains' security can be breached
by (easy) exploits," The-Rev wrote in an e-mail exchange with CNET's
News.com. "We target the biggest and best sites on the Internet."
The hole, known as the IIS Unicode exploit, takes advantage of a
vulnerability in some versions of Microsoft's Internet Information Server.
"Exploitation of this vulnerability is trivial," security firm Internet
Security Systems stated in an alert in October. Microsoft released a patch
for the hole in August, but many customers are still vulnerable because
system administrators haven't followed up.
The-Rev and his partner "Splurge" have tagged more than a dozen sites this
month. Starting with the University of South Florida and Taiwan's Board of
Foreign Trade, the vandals have quickly moved up to large companies such as
Intel and Hewlett-Packard.
On Thursday night, the vandals hit The New York Times Web site, as well as
Intel's Web site for the second time.
Despite appearances, a New York Times spokewoman said late Friday that the
defacement only looked as though it affected the newspaper's site.
"There was no security breach on NYTimes.com," said Lisa Carparelli, a
representative of New York Times Digital. "In fact, at no point were
NYTimes.com servers affected in any way. There appears to have been a breach
in security at a vendor to whom we outsource the hosting of some business
data."
The-Rev said that hitting major sites has given the duo respectability within
the Internet underground. "Defacing top sites give us power in the
community," he said, adding that he doesn't care whether people think of him
as a hacker or a defacer. "It's a state of mind."
For the most part, experts were unimpressed with the duo's work.
"The only thing that is noteworthy about their defacements is the high-profile nature of their targets," said B.K. DeLong, a staff member with
security Web site Attrition.org, which tracks defacements.
Although Sm0ked Crew's members have pointed out that they were able to hack
servers because a system administrator left flaws unpatched, DeLong said that
doesn't justify their actions.
"I think we are definitely more aware of the problem already," he said,
adding that although defacing a site may put the security issue in the
forefront, it's not the right way to go about it.
Experts have said that the failure of network administrators to patch known
security holes is the biggest problem plaguing the Internet.
And, it may continue to be an issue.
In a separate interview with CNET Radio on Friday, Splurge said that more
attacks are on the way.
"I'm sure you'll want us on tomorrow night," he said.
When asked what the target will be, he said, "You'll see."
Copyright 1995-2001 CNET Networks, Inc. All rights reserved.
****************************************
ATTACHMENT VII
From: Greg Cole <gcole@friends-partners.org>
To: fpadmin@friends-partners.org
cc: natasha@april.friends-partners.ru
Subject: [FPadmin] F&P Server Update (fwd)
Date: Mon, 19 Feb 2001 23:29:37 -0500 (EST)
[NOTE: you are receiving this message as an update on the recent hacking
incident to Friends and Partners -- we are trying to target those who have
been either directly or indirectly affected by the recent problems.]
Dear friends,
We have all been terribly inconvenienced during the past two weeks as a
result of the recent hacking incident on Friends and Partners. We are
terribly sorry about how this has affected everyone - and about how long it
is taking to get all operational again. The delays are due to the new
machine/platform and the difficulties getting various software packages
working - and working securely. But, also, we're investing a lot of time now
into installing firewalls and various intrusion detection software packages
to help ensure that we don't face such an outage again.
Slowly but surely, we are restoring all services. As most of you know, we
were able to get the web servers up last weekend. We have only today gotten
the "mailman" listserver software working correctly again; I will start
tomorrow on restoring user accounts. We will start this weekend on a new
chat room.
Natasha and I have established this listserver to help keep everyone informed
on what is happening - but we hope this might later become a forum by which
we can help each other with technical help and suggestions about security
issues, about running web servers, listservers, chat rooms, and advanced
information services involving CGI scripts, databases and dynamic page
generation.
While we have had a few minor security incidents during the 7 years we've
been running F&P, we have had nothing to compare with what happened in early
February. Whoever broke in to our servers disabled all three machines
(including our back-up server) and launched a "denial of service" attack
which completely shut down the ISP where F&P was housed. Additionally, they
disabled logins on the machines and set up various mechanisms by which they
could come back in. Basically, they left the machines in a state where we
could trust nothing.
Thus, we've started all over again - with a completely new machine, new
operating system and all new software. We're running on a version of unix
that should prove much more secure; we've implemented a firewall to disable
all suspect/unnecessary traffic; and we've implemented a number of other
intrusion detection devices to help us hopefully deter future attacks. It is
sad that the Internet has come to the point where we must constantly be on
guard against those who, for whatever reason, cause harm - but ignoring the
threat only leaves us vulnerable for the next attack.
========================================
<<February 27, 2001> Removed here by T. Utsumi,
========================================
I'll stop there for now but will be using this list to keep you informed as
all services are restored. I'm sorry not to be answering individual emails
as the moment; unfortunately, this recovery has required nearly all effort
for the last two weeks. I will try to start catching up with email after
everything is operational again (hopefully, will start next week - it will
probably take quite a while to catch up).
Thanks for your patience as we continuing putting F&P back together.
Greg
_______________________________________________
FPadmin mailing list
FPadmin@friends-partners.org
http://www.friends-partners.org/mailman/listinfo.cgi/fpadmin
****************************************
List of Distribution
Shahab Khan
Director
Planwel University
Planwel Institute of Science and Technology (PLANWEL)
A-1, L.C.H.S
Gulistan-e-Jauhar, Block-20
Karachi. 75290, Pakistan
Tel: 011-92-21-811-5851
011-92-21-811-5094
Fax: 011-92-21-811-6178
Afroz@khi.compol.com
afroz@planwel.edu
http://www.planwel.com
http://www.planwel.edu
http://www.planwel.edu/Research/tampere.html
http://www.itcomm.gov.pk/
Effie Dracopoulos Boikos
McGill University
Continuing Education
Department of Languages and Translation
8599 de L'Acadie apt.2
Montreal, Quebec H3N 2W7
CANADA
Tel. (514) 495-4862
boikos@sympatico.ca
Greg Cole, Ph.D.
Director
Center for International Networking Initiatives (CINI)
The University of Tennessee System
2000 Lake Avenue
Knoxville, TN 37996
(865) 974-7277 (direct)
865-974-8024
865 974-9729
FAX: (423) 974-8022
gcole@solar.rtd.utk.edu
gcole@friends-partners.org
http://www.friends-partners.org/friends/
Steve McCarty
Professor, Kagawa Junior College
President, World Association for Online Education (WAOE)
3717-33 Nii, Kokubunji, Kagawa 769-0101, JAPAN
+81-877-49-8041 (office, direct line), Fax: +81-877-49-5252
steve@kagawa-jc.ac.jp, steve_mc@kagawa-jc.ac.jp
mccarty@mail.goo.ne.jp -- web mail
WAOE: http://www.waoe.org
Website Map: http://www.kagawa-jc.ac.jp/~steve/
Japanese home page: http://www.kagawa-jc.ac.jp/~steve_mc/
English home page: http://www.kagawa-jc.ac.jp/~steve_mc/presence.html
Online publications (an Asian Studies WWW Virtual Library 4-star site):
In Japanese: http://www.kagawa-jc.ac.jp/~steve_mc/jpublist.html
In English: http://www.kagawa-jc.ac.jp/~steve_mc/epublist.html
http://www.asiasource.org/experts/ax_mp_03.cfm?expertid=1944
Fundamental Projects of Dr. Takeshi Utsumi [Japanese-English]:
http://www.kagawa-jc.ac.jp/~steve_mc/asia-pacific/projects-ej.html
http://www.kagawa-jc.ac.jp/~steve_mc/asia-pacific/projects-j.html (Japanese)
Global University System Asia-Pacific Framework:
http://www.kagawa-jc.ac.jp/~steve_mc/asia-pacific/index.html
Global University System Mid-2000 Correspondence:
http://www.friends-partners.org/~utsumi/gu-l/mid-2000/index.html
Christine Maxwell
Trustee
Chairman, ISTF (Internet Societal Task Force)
Vice Chairman
Internet Society
Tel: +33 4 42 66 80 30
French Portable No. +33 6 20 72 40 63
Wildfire Global Tracking Number: +1 415 732 6170
Fax: +33 4 42 66 81 07
maxwell@isoc.org
maxwell@chiliad.co.uk
http://www.isoc.org
http://www.cyberworkers.org/maxwell
Vincent Cerf, Ph.D.
MCI WorldCom
22001 Loudoun County Parkway
Building F2, Room 4115, ATTN: Vint Cerf
Ashburn, VA 20147
Telephone (703) 886-1690
FAX (703) 886-0047
vcerf@mci.net
http://www.isoc.org/inet2000
P. Tapio Varis, Ph.D, Professor
Acting President, Global University System
Chairman, GLOSAS/Finland
Professor and Chair
Media Culture and Communication Education
Hypermedia laboratory
University of Tampere
P.O.Box 607
FIN-33101 Tampere
FINLAND
Tel: +358-3-215 6110
Tel: +358-3-614-5247--office in Hameenlinna
Tel: +358-3-215 6243--mass media lab in Tampere
GSM: +358-50-567-9833
Fax: +358-3-215 7503
tapio.varis@uta.fi
http://www.uta.fi/~titava
Xin DING
Professor
China Central Radio and TV University
No. 160 Fuxingmen Nei St.
Beijing, China 100031
Tel: (8610) 66412233-0714
Fax: (8610) 66419025
Email: yys@crtvu.edu.cn
Daing Zaidah IBRAHIM
Senior Lecturer
Universiti Tun Abdul Razak
16-5 Kelana Jaya Urban Centre
Malaysia 47301 Kelana Jaya
Tel: (60) 37092183
Fax No. (60) 37045329
Email: daingz@unitarklj1.edu.my
**********************************************************************
* Takeshi Utsumi, Ph.D., P.E., Chairman, GLOSAS/USA *
* (GLObal Systems Analysis and Simulation Association in the U.S.A.) *
* Laureate of Lord Perry Award for Excellence in Distance Education *
* Founder of CAADE *
* (Consortium for Affordable and Accessible Distance Education) *
* President Emeritus and V.P. for Technology and Coordination of *
* Global University System (GUS) *
* 43-23 Colden Street, Flushing, NY 11355-3998, U.S.A. *
* Tel: 718-939-0928; Fax: 718-939-0656 (day time only--prefer email) *
* Email: utsumi@columbia.edu; Tax Exempt ID: 11-2999676 *
* http://www.friends-partners.org/GLOSAS/ *
**********************************************************************