[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Bind Hack

Subject: [cobalt-security] Bind Hack
From: RaQ3 <cobalt@xxxxxxxxxxx>
Date: Fri, 9 Feb 2001 18:43:46 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi there !

We got an e-mail today from our CoLo (UK2.net) that our RaQ3 had been hacked. The port 15000
would be open as a result of this hack. It further says that aprox. 20 files had been changed and
we were urgently requested to apply an .pkg to repair those files. 

Since I dare to fix things before they break, I tried to figure out and find some traces of the exploit.

I couldn't find a foreign thing in .bash_history. We don't have a '/lib/security/.config like someone 
wrote. I tried: 'telnet xxx.xxx.xxx.xxx 15000' and got 'Unable to connect' which tells me that port 15000 
is not open. Furthermore, everything is running smoothly: apache, ssh, e-mail and 
'/usr/sbin/ndc status' prints out version bind-8.2.3

Can someone please give some hints and save me from a heart attack ?
How could I detect this hack ?

Thanx
Thomas

--
InternAd.de
Internet Advertising
Thomas Prosi
tp@xxxxxxxxxxx

Follow-Ups:
- Re: [cobalt-security] Bind Hack
  - From: Mike Fritsch
- Re: [cobalt-security] Bind Hack
  - From: Kul
- Re: [cobalt-security] Bind Hack
  - From: John Bailey

Prev by Date: [cobalt-security] Re: [cobalt-users] BIND & ProFTPD
Next by Date: Re: [cobalt-security] Bind Hack
Previous by thread: [cobalt-security] bind hack
Next by thread: Re: [cobalt-security] Bind Hack

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index