[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-developers] Hacker
- Subject: RE: [cobalt-developers] Hacker
- From: "Sean McCabe" <flare@xxxxxxxxxxxxx>
- Date: Fri Apr 6 06:26:18 2001
- List-id: Discussion Forum for developers on Cobalt Networks products <cobalt-developers.list.cobalt.com>
He hacked my raq3 aswell, this guy will get caught in time.
-----Original Message-----
From: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of KAMRY
Sent: Tuesday, April 03, 2001 11:13 PM
To: cobalt-developers@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-developers] Hacker
Which update are we talking about. I have all Cobalt patches installed on
that machine. Are you referring to other updates?
Before the servers were turned off, not only the index.html for root sites
was changed, but even ASP files and several others were replaced with that
"Signature or Statement".
How would this worm got into the server if it was updated....
Kal
-----Original Message-----
From: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of robert
Sent: Tuesday, April 03, 2001 9:47 PM
To: cobalt-developers@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-developers] Hacker
this was a variant of the "RAMEN" rootkit. it's a DDoS.
you weren't TARGETED. it's a random class b scanning program that
looks for a vulnerability in bind 8. GO UPGRADE your bind NOW.
look in /dev/.lib (.lib is the dir where the hacking programs are stored)
also, check out your process tree "ps aux" for hack.sh, or anything .sh
that you don't recognize.
kill the process(es), and remove /dev/.lib, also restore index.html to
what they were before.
you must upgrade your bind as well.
port scan your server for a port above 27000, i don't know the exact port,
however it's up there... if you do http://yourserver:27xxx it will show
the program's compiled code. it's odd.
also, the program adds several open ports (4 i think) for remote root
shells. check this out immediately. /etc/services, or
/etc/rc.d/somefile...
it adds them somewhere... and /etc/inetd.conf
i believe /etc/inetd.conf has the 4 open ports... AT THE BOTTOM of the
file. killall -HUP inetd after editing inetd.conf
or, call me... 815-356-3983 (our office) i would be glad to help you
through this, it really angers me... it actually happened to one of our
servers.
On Tue, 3 Apr 2001, KAMRY wrote:
>
> Hi Anyone knows anything about this guy:
>
> Powered by H.U.C(c0011i0n).-----1i0n Crew
>
> He hacked into an new XTR which was deployed yesterday and an old Raq 4r.
> The XTR has all updates even before it was put on the Internet. Cobalt
guys
> says that a this guy used a RootKit. Can we do a CD RESTORE remotely. has
> anyone done that, or can we tar a Raq4r root and restore it on that hacked
> machine. Currently the machines are offline.
>
> Thanks,
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
> _______________________________________________
> cobalt-developers mailing list
> cobalt-developers@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-developers
>
--
Robert Abraham, CEO
HyperAccess.NET
50 N. Walkup Ave
Top Floor
Crystal Lake, IL 60014
815.356.3983 - Office
815.621.5282 - Cell
_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers