[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Bind Hack

Hi,

> I couldn't find a foreign thing in .bash_history.

Don't expect to.  Any hacker with any sense, and a lot of rootkits, remove
lines from logs and history files in order to cover up the intrusion.

> I tried: 'telnet xxx.xxx.xxx.xxx 15000' and got 'Unable to connect' which
> tells me that port 15000 is not open.

Just to point out here, that's not always the case.  'telnet' attempts a
TCP connection, but ports can also be opened to listen for UDP.  One check
you can do is to use 'netstat' to list all the listening ports, using the
'-al' switches.  Of course, you've got to have confidence in your copy of
'netstat' first.

> How could I detect this hack ?

This taken from the UK2RaQ list - Try the following command:

md5sum /usr/sbin/named

If you get 20a8796196848e0e393b2ec50da0aba4
then you're hacked, if not, then you're o.k.

As has been stated in another reply, I'd suggest you join the UK2Raq list,
as they know the specifics of this attack.

Might I also suggest, installing an intrusion detection system, such as
'Tripwire' ?  This will allow you to check for modified (ie, trojaned)
system files.

Best of luck,

John

Sun Cobalt Support by Zeffie.com
 A Sun Cobalt Support Specialist Since 1999
Sun Cobalt Support, Repairs, Development, and Maintenance.
Home of the Worlds Largest Collection of Sun Cobalt Updates!
Sun Cobalt Spam Filter, Security, Firewall, Anti Virus Products.
Voip 734-454-9117 At&t 734-454-0818 US Toll Free 800-231-4459 UK 0208-150-6860

Zeffie's Sun Cobalt User Forums
Zeffie's Sun Cobalt Restore CD's   Zeffie's Sun Cobalt Updates  
Sun Cobalt Users List   Sun Cobalt Security List   Sun Cobalt Developers List

Click here to buy me a drink at the local pub!
(includes tip and paypal fees)

Copyright 2007 by Electronic Consultants Inc.