[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-developers] LION WORM

Subject: RE: [cobalt-developers] LION WORM
From: "Jamie Rossi" <jamie@xxxxxxxxx>
Date: Wed Apr 18 17:04:44 2001
List-id: Discussion Forum for developers on Cobalt Networks products <cobalt-developers.list.cobalt.com>

We were hacked this week on a RAQ3, and our Hosting provider (one of the
worlds largest gave us the following response.
============================================================================
======================
Blocking service definitely was not our intention. It seems the "broken"
files were moved but were not replaced....hmmm. I have replaced the files
with known good files. Your server was compromised by the lion worm as it
was running BIND 8.2.2-P7 which is exploitable by this virus.

We did not use a Cobalt patch to fix the compromised servers - we had to
design custom scripts and gather files to fix them. I guess the patch kits
made by Cobalt were not adequate to protect your machine against this virus.
Cobalt must have decided that 8.2.2-P7 was good enough even though the
warnings said 8.2.3 was the answer. I'm not sure if they have a more recent
patch kit or not.

============================================================================
=======================


Perhaps Cobalt could comment on this.

Regards

Jamie Rossi
-----Original Message-----
From: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of KAMRY
Sent: 19 April 2001 07:43
To: cobalt-developers@xxxxxxxxxxxxxxx
Subject: [cobalt-developers] LION WORM


COBALT GUYS, I HAVE RESTORED THE XTR AND UPDATED BIND AND REBOOTED AND
DISABLED DNS SO WHAT IS IT WITH THIS SERVER. I EVEN TRIED LIONFIND TO CHECK
THE SERVER MANY TIMES, AND NOTHING WAS ON THAT SERVER, BUT NOW I CAN'T
TELNET SO I USED FTP TO EXECUTE NETSTAT AND MCAFEE SAID THAT THE FILE IS
INFECTED BY LION WORM WHICH MEAN THE SERVER IS INFECTED TOO. ANY ONE CAN
LOOK INTO THIS XTR PRODUCT AND DO SOME LAB TESTING OR WHATEVER!!!!


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers

Follow-Ups:
- RE: [cobalt-developers] LION WORM
  - From: Alex Lee
- RE: [cobalt-developers] LION WORM
  - From: Barry Titmarsh

References:
- [cobalt-developers] LION WORM
  - From: KAMRY

Prev by Date: [cobalt-developers] LION WORM
Next by Date: RE: [cobalt-developers] WEBMAIL help for RAQ3.
Previous by thread: [cobalt-developers] LION WORM
Next by thread: RE: [cobalt-developers] LION WORM

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index