Like the Salt River Project incident, this incident appears to be rampant with conflicting information. The best data we have is that a relatively inexperienced hacker was able to exploit two Solaris servers that were were part of a development network at Cal-ISO. These servers were supposed to be protected by a firewall, but in reality the servers were connected directly to the Internet. In addition, the Cal-ISO system administrators left the servers with all the software installed by the default setup, leaving numerous vulnerabilities open to exploitation. (#1)

The orginal LA-Times article of states:
“An internal agency report, stamped “restricted,” shows that the attack began as early as April 25 and was not detected until May 11. The report says the main attack was routed through China Telecom from someone in Guangdong province in China. In addition to using China Telecom, hackers entered the system by using Internet servers based in Santa Clara in Northern California and Tulsa, Okla., the report says. James Sample, the computer security specialist at Cal-ISO who wrote the report, said he could not tell for certain where the attackers were located.” (#2)

The system also lacked the ability to collect a record of events in a secure place, instead leaving them on the computers that the intruder could access. The investigators could not easily detect which files had been changed. A rudimentary root kit—a tool set used by Internet attackers to take total control of a system—had been installed, but other details could not be discovered.

“There was an obvious attempt made to penetrate our systems,” said Greg Fishman, spokesman for Cal-ISO, who would not give any more details. “They were able to achieve minimal penetration into a system that we use to demonstrate software. This was never a threat to our core operations.” (#1)