[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Bind Hack


> I couldn't find a foreign thing in .bash_history.

Don't expect to.  Any hacker with any sense, and a lot of rootkits, remove
lines from logs and history files in order to cover up the intrusion.

> I tried: 'telnet xxx.xxx.xxx.xxx 15000' and got 'Unable to connect' which
> tells me that port 15000 is not open.

Just to point out here, that's not always the case.  'telnet' attempts a
TCP connection, but ports can also be opened to listen for UDP.  One check
you can do is to use 'netstat' to list all the listening ports, using the
'-al' switches.  Of course, you've got to have confidence in your copy of
'netstat' first.

> How could I detect this hack ?

This taken from the UK2RaQ list - Try the following command:

md5sum /usr/sbin/named

If you get 20a8796196848e0e393b2ec50da0aba4
then you're hacked, if not, then you're o.k.

As has been stated in another reply, I'd suggest you join the UK2Raq list,
as they know the specifics of this attack.

Might I also suggest, installing an intrusion detection system, such as
'Tripwire' ?  This will allow you to check for modified (ie, trojaned)
system files.

Best of luck,