[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Been Hacked - WAS: Bad Data in /var/run/utmp

Subject: [cobalt-users] Been Hacked - WAS: Bad Data in /var/run/utmp
From: "Craig Napier" <craignapier@xxxxxxxxxxx>
Date: Sat Feb 10 15:09:27 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Well, add me to the list of people that's been comprismied by this BINDexpoilt.. And DON'T think you're immune to this thing just because you havethe BIND patch installed... I installed the patch one day after it wasreleased, but apparently they had already gained some level of accesspreviously... I also had none of the root kits mentioned here or any of theother *strange* directories as noted... I guess they weren't able to getfull access, just enough to over-run the buffers and cause problems... Thebox was running Portsentry, Logcheck, IPChains, Telnet *disabled* - onlySSH2 access, and *EVERY* patch listed on the Cobalt web site... Yesterday Istarted having strangeness when doing a "ps aux"... Everything was sorted byUSERID instead of by PID <as usual>. Then when trying to do a top, I recv'd"Bad Data in /var/run/utmp"... So this morning I got on line with Cobalt,and flipped on Telnet to give them access and discovered you couldn'tconnect via Telenet --OR-- FTP... (But I could still get in via SSH2)... Shesaid something about once they get in, they span the SSH daemon to get otherconnections <??>.. The only other difference I could find between thiscomprised box and my other two in operation... Under /var/run/ - thecomprimed box had a strange syslog file... The two *uncomprised boxes run:


/var/run/syslogd.pid

But on the comprised box it was:

/var/run/syslog.pid

I won't even think about anything but a full wipe and OS restall.. But Itell you what.. when IPchains goes in this time, I'm putting up one MEANFIREWALL that let's NO ONE in that box except via FTP <over SSH2> and WWWports.... I'm sure I'll be running my firewall rules by the list in thecoming day or so for any input on their config..

Keep watch closly.. and if you haven't already installed the BIND patch..I'd go get it installed *right now*... <then take aim at CERT for releasingthis madness on the net!>



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com

Follow-Ups:
- Re: [cobalt-users] Been Hacked - WAS: Bad Data in /var/run/utmp
  - From: Joi

Prev by Date: Re: [cobalt-users] questions
Next by Date: RE: [cobalt-users] How do I create an Alias on a Raq3?
Previous by thread: [cobalt-users] Fw: !! Urgent - Need your help mailing the cobalt-list!!
Next by thread: Re: [cobalt-users] Been Hacked - WAS: Bad Data in /var/run/utmp

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index