[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Interface Promiscuous Mode and FTP Hacks

Subject: Re: [cobalt-users] Interface Promiscuous Mode and FTP Hacks
From: flash22@xxxxxxx
Date: Fri Feb 16 03:44:02 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Fri, 16 Feb 2001, chris wrote:

> 
> > Promiscous mode means the network card is listening on all possible IP
> > addresses instead of just the ones it's supposed to , almost certainly
> > another trojan type thinggy, check inetd.conf for more things that
> > shouldn't bee there, netstat -a may help, funny open ports are a clue..
> 
> how could we close all ports less the few necessary ones?

By makng sure you don't have any more nasty things ;) check for *anything*
you don't think should be there in inetd.conf, be suspiscous of any line
that starts with a number instead of a name (eg 23 instead of 'ftp')

use netstat or a port scanner to look at ports, and then run lsof or fuser
to identify the program listening on the port, remember for the port to be
open , some program has to be there waiting ...

check *all* the /etc/rc.d/* files for things that look weird, especially
anything that runs sh or bash, sshd isn't the only thing that can sit
there waiting for someone to connect, telnetd can be stuck in there to
open connections on a port for people too...'portd' is another common
shell-to-port tool...

audit your cgi's :) (and .htaccess files and .htpasswd files, make sure
you don't have web / cgi holes in addition to the more obvious shell
holes.. the best place to hide something is where you aren't looking, like
the web server ...

invalidate *all* ssh exported keys btw, make new ones (make sure you can
get in first) if you have compromised keys your ssh is now only depending
on simple password ;)

Did i say change all your passwords before?

If you have SSL keys on a hacked server you have even more potential
problems ....i'm not even gonna go there :)

 > 
> Also, it seems the MIPS RaQs are less vulnerable...?

Not less vulnerable, but definitly much less likely to be hacked because
the hacks that are easily available over the net have x86 cpu code in them
,it won't run on the MIPS cpu, so the kidde scripts don't work, however, a
knowledgable hacker could write a working one for the same vulnerability
for the different cpu ..the only good thing is there aren't all that many
folks around that know MIPS assembly language;0

(So the raq2 users get a grace period, nothing more...)

gsh

References:
- Re: [cobalt-users] Interface Promiscuous Mode and FTP Hacks
  - From: chris

Prev by Date: Re: [cobalt-users] Mail stuck in /var/spool/mqueue
Next by Date: Re: [cobalt-users] Disaster Recovery question
Previous by thread: Re: [cobalt-users] Interface Promiscuous Mode and FTP Hacks
Next by thread: Re: [cobalt-users] Interface Promiscuous Mode and FTP Hacks

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index