Please Please Read - Very Big Bad Network Problems
 

Hey yall, I goto ICC HS. In the library we are running Windows 2000 Server or win2k3 Server. My Classroom is the only other server in the entire school. We are running SUSE10 on it. The Cliebnts on the classroom network are Win2k. The other day the main server in the library's password was changed. A computer in our classroom had two new user accounts that neither me or the other network admin added. And then Yesterday a kid was playing around and typed suse or suse.com somewhere I cant remember where cause I didnt have my NSS turned on, and it completly restarted the computer. I dont't know if he knows more then he is telling or what. But since I'm the only "known" persoin in the entire school who knows much about computers. I am being faced with being expelled. The State school computer monitoring center gave me 1 week to find out who or how it was done, or I will be expelled. Please help me. I have no idea what is going on but I think its not good. Plus we are receiving WAY more network traffic in the past month than we have in the past 4 years. Someth8ign wierd is going on and I don't want to go down for it. Please help me. Thanks

If you're innocent, I wouldn't worry. I suspect that in your country, people are "innocent until proven guilty". Expelling students on hunches without evidence is usually not something schools can do, especially state schools.

Reinstall your SuSE server. Give it a different root password. If the machine has been compromised, that's the only truly safe option.

You might consider tracking your connections and looking for patterns in the IP addresses and ports used. Then you can decide how to deal with that. Check if you have any ports open or services running that shouldnt be. Also, if you havent already, change all the passwords and remove (or disable) the suspicious accounts. (I've not used SuSE before, and only a little bit of any flavor of Linux, and even then hardly anything administrative, so I don't know exactly how to do these... sorry)

And if you were to be expelled on such circumstancial and biased evidence, a suit against the school would probably be in order...

It shouldn't be your problem to find out who did it. This presumably isn't a paying job, and unless your school wants to pay you for your time, it simply isn't worth trying to find out who compromised the machine, except to satisfy your curiousity.

If you're curious, I'd look at the logs (usually in /var/log), check the running processes (ps ax), check the bash history for root (/root/.bash_history), and anything else you can think of. But don't feel you have to. If what you say is true, and you are telling the entire story, then your school is trying to blackmail you into doing sysadmin work.

That's worth repeating. If you had nothing to do with the machine being compromised, then there is nothing the school can do to you.

Just an echo of the others: presuming you're innocent, there's more chance of you punishing the school than vice versa. Presumably, your parents/guardian are supportive. Get up on your hind legs and don't run scared.

Thank you all very much for your ideas and suggestions. I will goto schol otday and try to figure out what is going on and let yall know. Thanks Again

Also dawei I aint a very fast runner so I wouldnt get to far.

Thanks again yall

Ok, we found the problem. Someone had dled Kazaa on a couple of the computers. As for the shurdown ordeal, Im still working on that. but it looks like I'll be ok.

If they were threatening to expell you over a third party installing Kazaa on their computers, then I hope now they're offering up a lot of apologies.

As for the new user accounts, those were on one of the win2k machines correct? Make sure that authenticated users are not lopped into the Power Users group (the default when upgrading from NT). A power user can add and remove user accounts and reset passwords of local accounts, which would explain additional user accounts. I would assume that the machines in the room are imaged. It may behoove you to reimage the machines, make a few security enhancements (see above, but also filesystem permissions!), and reimage again with the updated image.

A few questions:
1. What role does the SuSE server play in relation to the Windows server in the library? Is it set up as an Active Directory (read: LDAP) backup/replication server? Separate altogether?
3. Do you have access to a switch/gateway between the classroom and the rest of the network? If so, majorly lock down the ports. Set a few filters to at the least block all traffic with a destination outside the school/district IP range that isn't on port 80.
4. What is your role in administering these machines? Do you have some officially delegated role in this particular classroom/school or are just being fingered for your reputation?
5. Is the increased traffic all coming from the one classroom or schoolwide?
6. Which machine rebooted, one of the clients or which of the two servers?

As for being innocent until proven guilty, tech-illiteracy of the authorities may cause problems. Be careful.