[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-developers] LION WORM
- Subject: RE: [cobalt-developers] LION WORM
- From: Andrew Cudzilo <linuxps@xxxxxxxxx>
- Date: Thu Apr 19 01:59:10 2001
- List-id: Discussion Forum for developers on Cobalt Networks products <cobalt-developers.list.cobalt.com>
Now.....I might be talking crazy here....but I think I have the total fix for everything.
Step 1) OS Restore
Step 2) Put the Unit on a private IP so you can install the packages*
Step 3) Reboot and go live
Sorry that this is a replay to you alex.....no your not the target of this Clue-by-4.
For anyone who didn't know....one of the main functions of this exploit is the installation of a
root kit that makes your cobalt server......A PortScanner. PortScanners spend their time scanning
various subnets all over the internet. So putting an unprotected box on the internet without the
patches and trying to install them while a port scan can get to it.....is well....asking for it.
And a lot of people discovered that they had been rehacked after the update....and cried, "we had
the patches installed." But BIND can't close a hole if its already open. And for the few
experiences I've seen, the timestamps of when the exploit went in and when the BIND update went in
are close, usually the exploit beating out the update by about 20 mins.
So, while every cobalt customer is learning a little something about good sysadmin (it's usually a
disaster that teaches us the best)....lets not point the fingers here. And of course....hey at
least its not Windows....
And as for the 8.2.2-P7....umm yeah thats the default software installed....or at least I thought
so. But I didn't think that BIND 8.2.3 was released until post the first signs of the exploit.
It was my understanding that it was the BIND community that was caught with their pants
down....not Cobalt. I mean this affected BIND not Cobalt right. It is a BIND exploit right?
Or maybe I'm just rambling
--------------------
AJC <linuxps@xxxxxxxxx>
Rule 1 of Sysadmin : backup the file
--- Alex Lee <alex@xxxxxxxxxx> wrote:
> > We did not use a Cobalt patch to fix the compromised servers - we had to
> > design custom scripts and gather files to fix them. I guess the patch kits
> > made by Cobalt were not adequate to protect your machine against
> > this virus.
> > Cobalt must have decided that 8.2.2-P7 was good enough even though the
> > warnings said 8.2.3 was the answer. I'm not sure if they have a
> > more recent
> > patch kit or not.
>
> The Cobalt patch does put in 8.2.3-REL
>
> [root /root]# ndc status
> named 8.2.3-REL Tue Jan 30 16:56:25 PST 2001
> admin@xxxxxxxxxxxxxxxxxx:/home/redhat/BUILD/bind-8.2.3/src/bin/named
> config (/etc/named.conf) last loaded at age: Wed Jan 3 17:26:50 2001
> number of zones allocated: 64
> debug level: 0
> xfers running: 0
> xfers deferred: 0
> soa queries in progress: 0
> query logging is OFF
> server is up and running
>
>
> alex
>
> _______________________________________________
> cobalt-developers mailing list
> cobalt-developers@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-developers
=====
--------------
#!/usr/bin/perl
print "Have Clue Will Travel";
--------------
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/