[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Trinoo DDoS server in init

Subject: RE: [cobalt-users] Trinoo DDoS server in init
From: "Tony" <isplists@xxxxxxxxxxxx>
Date: Thu Feb 15 01:47:03 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

+>>[root@www /root]# md5sum /sbin/init
+>>5a64a78a799ab2e0cc3c8a6f931ab2f4  /sbin/init  <== could someone else
+>> >>verify?
+
+That's what I've got... So it looks like we're good..
+
+-Craig

So which is the real init?

These appear to be the hacked files:
/usr/sbin
-rwxr-xr-x   1 root     root       318004 Feb 13 23:17 init
-rwxr-xr-x   1 root     root        35628 Feb 13 23:17 in.smb

a inetd.conf entry was added for in.smb

So the asshole scriptkiddie could connect via Samba with his daddy's windows
machine?

The good init checksum is at
/sbin
-rwxr-xr-x   1 root     root        27176 Apr 24  2000 init

Which init file is the box booting from?

Also got bad checksums on:

662c04f1e5af11fc38a82b736644b591  /usr/sbin/named
a8a65bd376f38ce3f99bed64956bdf09  /bin/netstat
60959ee2254105bfc55a2740dc1bdaab  /bin/login

This raq was fully patched too, including named.

Would replacing the bad checksum binaries secure the box until tommorrow?

Follow-Ups:
- [cobalt-users] another cobalt hacked... looking for things to check.
  - From: Sean Chester

References:
- [cobalt-users] Trinoo DDoS server in init
  - From: Craig Napier

Prev by Date: Re:[cobalt-users] Controlling Raq3 from Command Line
Next by Date: Re:[cobalt-users] IMPORTANT - POSSIBLE HACKS WITH PATCHES!!
Previous by thread: [cobalt-users] Trinoo DDoS server in init
Next by thread: [cobalt-users] another cobalt hacked... looking for things to check.

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index