Our RAQ 3i's DNS service failed so we began looking at the box and thendiscovered that we could not telnet into the box as admin. We were able to get in via SSH until we restarted the box now it also >indicates "incorrect login". We are able to login via the web interface >but are not sure ?what to do next at this point.I to have had the same problem today with a customers RAQ3 after >>gaining access to the box I checked /root/.bash_history only to get >>the following errorIncomplete terminfo entry
This is the almost the exact same symptoms (to the T) that our RaQ3 showed over the weekend. We then learned an hour later it had been compromised... We're not sure if it was via BIND or FTP, but we're leaning towards the BIND exploit.. We were still able to connect via SSH, but all FTP/Telnet access (once turned on) failed to work... When performing a TOP command, we'd recv an error "Bad data in /var/run/utmp" (which is what logs users login to (some) various services). Also, when performing PS AUX command, all processes were being listed by USERID instead of by PID (which is the normal case). Cobalt said these kiddies are getting in on BIND then replacing various system items, but they're not compatible with the Cobalt's as there's been hacks by Cobalt off the original RedHat code that tweaked certain things just a bit..
So do a little more ground work and if you've been compromised, I'd strongly recommend a OS Reload followed by all the old firewall/ipchains/portsentry/logcheck/tripwire goodies you can muster..
Good Luck! Craig Napier _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com