[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Bind Hack

Hi there !

We got an e-mail today from our CoLo (UK2.net) that our RaQ3 had been hacked. The port 15000
would be open as a result of this hack. It further says that aprox. 20 files had been changed and
we were urgently requested to apply an .pkg to repair those files. 

Since I dare to fix things before they break, I tried to figure out and find some traces of the exploit.

I couldn't find a foreign thing in .bash_history. We don't have a '/lib/security/.config like someone 
wrote. I tried: 'telnet xxx.xxx.xxx.xxx 15000' and got 'Unable to connect' which tells me that port 15000 
is not open. Furthermore, everything is running smoothly: apache, ssh, e-mail and 
'/usr/sbin/ndc status' prints out version bind-8.2.3

Can someone please give some hints and save me from a heart attack ?
How could I detect this hack ?

Thanx
Thomas

--
InternAd.de
Internet Advertising
Thomas Prosi
tp@xxxxxxxxxxx

Sun Cobalt Support by Zeffie.com
 A Sun Cobalt Support Specialist Since 1999
Sun Cobalt Support, Repairs, Development, and Maintenance.
Home of the Worlds Largest Collection of Sun Cobalt Updates!
Sun Cobalt Spam Filter, Security, Firewall, Anti Virus Products.
Voip 734-454-9117 At&t 734-454-0818 US Toll Free 800-231-4459 UK 0208-150-6860

Zeffie's Sun Cobalt User Forums
Zeffie's Sun Cobalt Restore CD's   Zeffie's Sun Cobalt Updates  
Sun Cobalt Users List   Sun Cobalt Security List   Sun Cobalt Developers List

Click here to buy me a drink at the local pub!
(includes tip and paypal fees)

Copyright 2007 by Electronic Consultants Inc.