[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Another Raq3 Hack

Subject: Re: [cobalt-users] Another Raq3 Hack
From: "inc" <inc@xxxxxxxxxxxxx>
Date: Wed Feb 14 23:43:18 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

when i got stumped for answers i sought out a local hacker irc channel where
i detailed my situation.  then they asked me what the system was... i told
them... their response?

"ownage++++ !!"

ie .. easily "owned"

you couldn't believe how quickly they typed that line.




> Is it possible to plug this up without flattening the box?

you could judiciously reinsert the original cobalt binaries included in
unhacked.tar.gz and go through all your startup scripts and clean them and
hope for the best like i've done :)



you'll find the original md5 checksums here:

http://list.cobalt.com/pipermail/cobalt-users/2001-February/032902.html

test yours via:

admin# md5sum filename

you may find that login is replaced.



root# netstat -ntap

is your friend.

root# fuser -n proto 000

will return the pid bound to a specific port, where proto is "udp" or "tcp"
and "000" is the port number returned by netstat (don't include the quotes)

then you can install "lsof" which when fed correctly

root# lsof -p 0000

(where 0000 is the pid returned from fuser) will reveal the naughty process
name.

Follow-Ups:
- RE: [cobalt-users] Another Raq3 Hack
  - From: Tony
- Re: [cobalt-users] Another Raq3 Hack
  - From: flash22

References:
- [cobalt-users] Another Raq3 Hack
  - From: Tony

Prev by Date: Re: [cobalt-users] Frontpage
Next by Date: Re: [cobalt-users] Frontpage
Previous by thread: [cobalt-users] Another Raq3 Hack
Next by thread: RE: [cobalt-users] Another Raq3 Hack

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index