Re: [cobalt-security] Bind Hack

[Kul <WebMaster@xxxxxxx>]

RaQ3 wrote:

> Hi there !
>
> We got an e-mail today from our CoLo (UK2.net) that our RaQ3 had been hacked. The port 15000
> would be open as a result of this hack. It further says that aprox. 20 files had been changed and
> we were urgently requested to apply an .pkg to repair those files.
>
> Since I dare to fix things before they break, I tried to figure out and find some traces of the exploit.
>
> I couldn't find a foreign thing in .bash_history. We don't have a '/lib/security/.config like someone
> wrote. I tried: 'telnet xxx.xxx.xxx.xxx 15000' and got 'Unable to connect' which tells me that port 15000
> is not open. Furthermore, everything is running smoothly: apache, ssh, e-mail and
> '/usr/sbin/ndc status' prints out version bind-8.2.3
>
> Can someone please give some hints and save me from a heart attack ?
> How could I detect this hack ?
>
> Thanx
> Thomas
>
> --

Thomas,
Try visiting: http://groups.yahoo.com/group/raq  theres 700 emails all on this very subject about the UK2 Hacker,
incidentally are you a member of this UK2Raq mailing list?  As this list was the first to discover the problem, and the patch's gutts were written by a member of the UK2Raq list, So thats where the answers are !  Incidentally the UK2 version does not solve all the problems completly, telnet login is left in a little mess.

Uk2 have today been looking at all the raq's on their farm, and any that have shown a problem have/will be fixed, but its failry safe to say that if you have done 'dir', 'l' and 'ls' on this directory and it is not showing, then yours should be ok.
Also if you installed the BIND update (cobalt) immediatly it came out, then you may be fine.  However you would have had to been quick, because in under 24hrs of the release 190+ UK2 raqs have been attacked!

The Hacker if successfull will have already obtained ALL your passwords (well those that have logged in)  It would be wise to get them changed if youve been done !

Regards
Kul (Uk2Net too)