[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Hack Attempt?

Subject: Re: [cobalt-users] Hack Attempt?
From: Fabrice Prémel <fabrice@xxxxxxxxxx>
Date: Thu Oct 19 06:37:02 2000
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

>Can you first explain what this program can do, has done to the RAQ 

Seems this exploit will give root power. Moreover, it will bind a 
suid shell on port 3879. Try a 'netstat -a' to see if such a port is 
open. If it is, then anyone connecting to this port will have root 
access.

I would suggest to disconnect the machine from the Internet, then 
have a close review of the system. If you have backups, you should 
reinstall everything, restore, to come back to a normal, non-hacked 
configuration.

The program that was hacked in the first place seems to be "gdm", 
which you might consider upgrading or deleting if it contains a 
security flaw.

>and then
>tell me how to trace who logged in or "hacked" in yesterday (18th 
>Oct) so we
>can get to the bottom of this?

If the hacker was not stupid, he did erase all trace from your logs. 
Best is to examine them carrefully (at least to see the time of the 
attack). However, even if you found something, don't forget it is not 
sure to be revelant.
You might want to call your ISP, and see with them if they have some 
logs somewhere to trace the hacker.

Hope that helps,

Fabrice Prémel.

References:
- [cobalt-users] Hack Attempt?
  - From: Kevin Cawthorne - www.delamitri.co.uk

Prev by Date: SV: [cobalt-users] Hack Attempt?
Next by Date: RE: [cobalt-users] Hack Attempt?
Previous by thread: [cobalt-users] [RaQ3i] user "HOME" ?!
Next by thread: RE: [cobalt-users] Hack Attempt?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index