RE: [cobalt-developers] Looking for a Cobalt Security Guru or Recommendations

["Malcolm Wild" <cobaltsec@xxxxxxxxxxx>]

I you have access to your box the best bet is to backup using rysnc and then
run the migration CMU tool
Restore the box and import the CMU this should fix it
ensure you backup the /etc/named/records file if using the box for DNS
but the rysnc will have a complete copy of the server that can be quickly
mirror back, you'll experience approx 2-3hrs downtime, if you prepare well.
If you can do it on Saturday night a 2am nobody will even notice ;)

If you haven't got access to another box and its running everything, rent
another.
Then use the CMU to copy the sites/users.
If the box has been rooted just do a compare on usernames in a clean
/etc/passwd file and if there's not one you know of disable the account.
most hacks don't store much stuff in the users folders they hide the
binaries in odd locations where nobodies likely to find them.

hope that helps, if you still having issues, we have spare RaQ2/3, and could
check the box for u, but the only way to be 100% sure is to restore it.

-----Original Message-----
From: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of Kevin
Schaefer
Sent: 15 August 2001 15:01
To: cobalt-developers@xxxxxxxxxxxxxxx
Subject: [cobalt-developers] Looking for a Cobalt Security Guru or
Recomendations


Looking for a Cobalt Security Guru to help us check out a RaQ3 after what
appears to be a mild hack.  We have removed the tk/t0rn rootkit, applied all
patches from Cobalt/Sun, removed unauthorized mail relays, and still need to
check for compromised binaries.  Of course it would be paid.

Kevin Schaefer
Creative Technical Services, Normal, Illinois
Ph. 309-862-2983, Fax 309-862-2226

_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers