[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Locked Out Of Cobalt Server

Subject: Re: [cobalt-users] Locked Out Of Cobalt Server
From: "H.P. Stroebel" <hpstr@xxxxxxxxxxxxx>
Date: Wed Jul 12 17:25:41 2000
Organization: Rechtsanwalt

Chad Levin schrieb:

> I've been unable to get into contact with the programmer after I told him about
> this error.

after having reset the password (RTFM -> paperclip), YOU SHOULD TAKE
YOUR SERVER OFFLINE to examine it. if anyone changes your pw files, most
likely he installs a backdoor or a trojan or does something more evil
(it seems to be paranoid, but reality teaches...)

first, make a FULL backup using tar, maintaining the permissions for
further examination (if your box is compromised and prepared for other
illegal activities and you are able to track down your "consultant", it
can be useful)

then, check with ifconfig if any network interface has set the
promiscious mode (-> sniffers). if yes, warn your provider, if you do
colocation, and check your other boxes (if you have, you should
IMMEDIATELY check ALL OF THEM) and CHANGE ALL user names AND passwords.

if a users password, even of an unprivileged one, is sniffed, you can
assume that after (max) 1 hour an average  hacker on a server with
medium security level (and default cobalts are *low* level) has root
access...

cleaning a box from an intrusion is a critical job, so i`ll recommend to
reinstall it, and copy the sites (/home/...) back, BUT NOT the
configuration files (in my opinion, checking their content and their
owners + permissions is  more work (and more insecure) than reinstalling
your sites).

before redeploying it, check AT LEAST the site files for hidden or
abnormal directories and files check their content. check the home
directories for files that have set the setuid bit.

check all the cgi scripts for system calls, forks, evals, definitions in
backticks, sendmail calls, etc., especially the one that installed your
"consultant"...

change ALL user names AND passwords BEFORE deploying it and disable
shell access for all if possible.

***

if you don`t understand this or aren`t experienced with file
permissions, network configuration, perl + shell scripting, it is most
likely that you will not be able to check and/or recover your box in a
sufficient matter. in this case, you should hire qualified personnel.

consider that your compromised server is not only a danger for you, but
for all others on the net (imagine hidden password sniffers, distributed
dos attacks etc.) and that YOU are the responsible person for your
server, even if it has been hacked.

cu

-- 

H. P.  Ströbel

PGP Digital Fingerprint :
58E0 6ECB 620A A689 E206 
BCA8 300F BC45 6EEC F7C3

Yes, I do. But not Yahoo.

References:
- [cobalt-users] Locked Out Of Cobalt Server
  - From: Chad Levin

Prev by Date: [cobalt-users] OpenSSH pkg available for download !
Next by Date: [cobalt-users] Invalid Host Name
Previous by thread: Re: [cobalt-users] Locked Out Of Cobalt Server
Next by thread: Re: [cobalt-users] Locked Out Of Cobalt Server

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index