[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Bind Hack

Subject: Re: [cobalt-security] Bind Hack
From: John Bailey <support@xxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 9 Feb 2001 19:00:21 +0000 (GMT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi,

> I couldn't find a foreign thing in .bash_history.

Don't expect to.  Any hacker with any sense, and a lot of rootkits, remove
lines from logs and history files in order to cover up the intrusion.

> I tried: 'telnet xxx.xxx.xxx.xxx 15000' and got 'Unable to connect' which
> tells me that port 15000 is not open.

Just to point out here, that's not always the case.  'telnet' attempts a
TCP connection, but ports can also be opened to listen for UDP.  One check
you can do is to use 'netstat' to list all the listening ports, using the
'-al' switches.  Of course, you've got to have confidence in your copy of
'netstat' first.

> How could I detect this hack ?

This taken from the UK2RaQ list - Try the following command:

md5sum /usr/sbin/named

If you get 20a8796196848e0e393b2ec50da0aba4
then you're hacked, if not, then you're o.k.

As has been stated in another reply, I'd suggest you join the UK2Raq list,
as they know the specifics of this attack.

Might I also suggest, installing an intrusion detection system, such as
'Tripwire' ?  This will allow you to check for modified (ie, trojaned)
system files.

Best of luck,

John

Follow-Ups:
- Re: [cobalt-security] Bind Hack
  - From: Kevin D

References:
- [cobalt-security] Bind Hack
  - From: RaQ3

Prev by Date: Re: [cobalt-security] Bind Hack
Next by Date: Re: [cobalt-security] Bind Hack
Previous by thread: Re: [cobalt-security] Bind Hack
Next by thread: Re: [cobalt-security] Bind Hack

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index