[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-developers] Raq 3 System Hacked via FTP or IMAPD (slice3)

Subject: [cobalt-developers] Raq 3 System Hacked via FTP or IMAPD (slice3)
From: "Nils Koesters" <koesters@xxxxxxxxxxx>
Date: Tue Jul 4 05:01:00 2000

Sadly our cobalt server was hacked last week, I didnt find anything in the
993 cobalt developer mailinglist mails about it.

Our server went down yesterday.

To help others I explain what happened.

We had an anonym ftp on one host, were the intruder came in.

I found a slice3 executable in /dev/ttyS100/ this slice 3 was loaded and
executed.

I killed the process deleted the file and saw that atd tried to run an
reload the file. When I tried to kill the process before it forked
immidiately.

I then rebooted. After reboot the deleted file slice3 was there again. I
then looked at atd in /usr/sbin several files in this directory had new 1
day old time stamps.

I also found files called vigr if typed in the whole password file was in
it.

What I have done now as first step is moved atd renamed all passwords
deleted  the files not really necessary for server operation. Pityfully I
also have new timestamps on inetd and so on.

I also now made rm slice3;touch slice3;chmod 000 slice3

By now the system is free, but whatvere backdoors might be open I do not
know.

wmtp files shows:

SITE2    ftp          Mon Jun 26 16:15 - 16:15  (00:00)
1Cust191.tnt1.barrie.on.da.uu.net
SITE2    ftp          Sun May 28 09:05 - 09:06  (00:00)
CM10977-a.maast1.lb.nl.home.com
SITE2    ftp          Sun May 21 10:07 - 10:07  (00:00)
CM10977-a.maast1.lb.nl.home.com
SITE2    ftp          Fri May  5 12:49 - 12:49  (00:00)
c18729112.telekabel.chello.nl
SITE2    ftp          Fri May  5 04:29 - 04:29  (00:00)
c18729112.telekabel.chello.nl
SITE2    ftp          Tue Mar 14 20:36 - 20:36  (00:00)
HSE-Montreal-ppp32618.qc.sympatico.ca
SITE2    ftp          Tue Mar 14 20:15 - 20:15  (00:00)
HSE-Montreal-ppp32618.qc.sympatico.ca

CEST

Sites which we dont know.


I would like to defunct imap
(http://www.enteract.com/~lspitz/enemy3.html) as suggested on anti hacker
sites, but how can i do that on the admin thing, disabling via inetd.conf
brings up the alarm.

And generally how can I make my system secure without totally ruining the
admin interface?

I have checked the knowledge base but havent found anything.

May I suggest some install options for future interfaces enabling me to
control which IPs or Netmasks get access, or can I already do that on the
admin interface? If I do it the old fashioned way I probably ruin the
warranty or?

Were can I find sites how to secure RAQ3 without ruining the admin
interface?


With regards
Nils

Follow-Ups:
- Re: [cobalt-developers] Raq 3 System Hacked via FTP or IMAPD (slice3)
  - From: H.P. Stroebel
- [cobalt-developers] Top Hacker Security Holes...
  - From: Chief Executive Officer

References:
- [cobalt-developers] setenv in RPMS?
  - From: Jason Frisch
- Re: [cobalt-developers] setenv in RPMS?
  - From: Tim Hockin

Prev by Date: [cobalt-developers] CNAME record
Next by Date: Re: [cobalt-developers] CNAME record
Previous by thread: Re: [cobalt-developers] setenv in RPMS?
Next by thread: Re: [cobalt-developers] Raq 3 System Hacked via FTP or IMAPD (slice3)

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index