[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-developers] eXTENDING Hacker
- Subject: RE: [cobalt-developers] eXTENDING Hacker
- From: "KAMRY" <kamry1888@xxxxxxxxx>
- Date: Sun Apr 8 10:56:01 2001
- List-id: Discussion Forum for developers on Cobalt Networks products <cobalt-developers.list.cobalt.com>
I've just came across a strange scenario. It seems that one of the other
Raqs had DNS enabled. The Raq is on the same Network of the server that was
compromised. Why that Raq wasn't compromised despite it didn't include that
BIND update!!? From what I read, they say:
"It is known to
infect bind versions) 8.2, 8.2-P1, 8.2.1,
8.2.2-Px, and all
8.2.3-betas."
The Cobalt patch says that "RaQXTR-en-Security-0.0.1-9353" is to upgrade the
version of BIND used by DNS to 8.2.3. This version of BIND contains various
security fixes for security holes that were found in BIND 2.2.2_P5.
I can see that the infection occurs on beta versions, but I don't know if
the Cobalt patch upgrade is a beta or a final version!! In either cases, the
server with the old BIND wasn't infected although the other two servers got
compromised real quick and they all reside next to each other on the same
networks!!
Anyone has an idea!! I'm just afraid to update those servers again, and then
they get the worm again. I disabled all DNS on all servers just in case for
the time being since we are not running DNS from these servers anyhow...
Thanks,
Kal
-----Original Message-----
From: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of Sean McCabe
Sent: Friday, April 06, 2001 12:28 AM
To: cobalt-developers@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-developers] Hacker
He hacked my raq3 aswell, this guy will get caught in time.
-----Original Message-----
From: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of KAMRY
Sent: Tuesday, April 03, 2001 11:13 PM
To: cobalt-developers@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-developers] Hacker
Which update are we talking about. I have all Cobalt patches installed on
that machine. Are you referring to other updates?
Before the servers were turned off, not only the index.html for root sites
was changed, but even ASP files and several others were replaced with that
"Signature or Statement".
How would this worm got into the server if it was updated....
Kal
-----Original Message-----
From: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of robert
Sent: Tuesday, April 03, 2001 9:47 PM
To: cobalt-developers@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-developers] Hacker
this was a variant of the "RAMEN" rootkit. it's a DDoS.
you weren't TARGETED. it's a random class b scanning program that
looks for a vulnerability in bind 8. GO UPGRADE your bind NOW.
look in /dev/.lib (.lib is the dir where the hacking programs are stored)
also, check out your process tree "ps aux" for hack.sh, or anything .sh
that you don't recognize.
kill the process(es), and remove /dev/.lib, also restore index.html to
what they were before.
you must upgrade your bind as well.
port scan your server for a port above 27000, i don't know the exact port,
however it's up there... if you do http://yourserver:27xxx it will show
the program's compiled code. it's odd.
also, the program adds several open ports (4 i think) for remote root
shells. check this out immediately. /etc/services, or
/etc/rc.d/somefile...
it adds them somewhere... and /etc/inetd.conf
i believe /etc/inetd.conf has the 4 open ports... AT THE BOTTOM of the
file. killall -HUP inetd after editing inetd.conf
or, call me... 815-356-3983 (our office) i would be glad to help you
through this, it really angers me... it actually happened to one of our
servers.
On Tue, 3 Apr 2001, KAMRY wrote:
>
> Hi Anyone knows anything about this guy:
>
> Powered by H.U.C(c0011i0n).-----1i0n Crew
>
> He hacked into an new XTR which was deployed yesterday and an old Raq 4r.
> The XTR has all updates even before it was put on the Internet. Cobalt
guys
> says that a this guy used a RootKit. Can we do a CD RESTORE remotely. has
> anyone done that, or can we tar a Raq4r root and restore it on that hacked
> machine. Currently the machines are offline.
>
> Thanks,
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
> _______________________________________________
> cobalt-developers mailing list
> cobalt-developers@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-developers
>
--
Robert Abraham, CEO
HyperAccess.NET
50 N. Walkup Ave
Top Floor
Crystal Lake, IL 60014
815.356.3983 - Office
815.621.5282 - Cell
_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers
_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com