[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] hacking

Subject: Re: [cobalt-users] hacking
From: "Brian Curtis" <admin@xxxxxxxxxxx>
Date: Mon May 8 14:53:40 2000
Organization: Pomfret Computer Technologies

----- Original Message -----
From: "Stephen Mc Carron" <newlyons@xxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Monday, May 08, 2000 4:59 PM
Subject: RE: [cobalt-users] hacking

> Hi Jens,
>
> When I eventually rebooted the raq3, there were mails from root to
> SOLhax@xxxxxxx bouncing around, also ADMROCKS directory in my named
> directory.

The 'ADMROCKS' is a known bind hack.  Upgrade your bind packages
_immediately_ after a restore, otherwise the hacker will be able to get back
into your system quite easily for as long as you run that particular version
of bind.  It happened to me four times in one day ((hack => restore => hack)
x4) on a test server running the vulnerable bind packages.

Sounds like the person exploited bind to gain root access, then infected you
with a few other things.  Also, check for strange lines in /etc/services
towards the end.  With the bind exploit, they usually kill off bind, fubar
the bind service, and open a root hole via an ip:port combo that does not
require a pw to log into your server.

Very nasty indeed.

BC

Follow-Ups:
- Re: [cobalt-users] hacking
  - From: THEJRC
- Re: [cobalt-users] hacking
  - From: THEJRC

References:
- RE: [cobalt-users] hacking
  - From: Stephen Mc Carron

Prev by Date: [cobalt-users] RAQ3 - ssh
Next by Date: Re: [cobalt-users] hacking
Previous by thread: Re: [cobalt-users] RAQ3 - ssh
Next by thread: Re: [cobalt-users] hacking

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index