[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re:[2] [cobalt-users] Unhack Script..?
- Subject: Re:[2] [cobalt-users] Unhack Script..?
- From: elmer@xxxxxxxxxxxxxx
- Date: Fri Feb 16 10:40:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Fri, 16 Feb 2001, RaQ3 wrote:
} Why don't you put the things you found here, so everyone who
} suspects a hack can have a look for it, if it is not too much trouble ?
Sorry Thomas,
I didn't keep notes. I no longer have time to work on
servers owned by others (don't call me) and we've got backups here
that will keep us out of trouble. The only reason I posted the
message was because a lot of people seem to be relying on the unhack
script and chkrootkit - both of which are very very good but neither
of which guarantess a clean server.
Realize that if one back door remains your server can and
probably will be compromised again shortly after the cracker decides
that you've calmed down and are absolutely certain that your box is
tight and secure.
I did, however, post enough details in the message that you
replied to for the average person to work from.
1) a new sshd was intalled - ssh2d, which the unhack script
looks for, may be a honey pot of sorts
2) While I think I inadvertantly dumped the cracker while
the root kit was being installed, much of the garbage left behind
was owned by 1000.wheel - it wouldn't hurt to look for files with
this or a similar ownership - any system file with a number for the
owner or the group should be suspect.
3) Somewhere, sorry but I don't recall where but I do know
that this is one of the things that chkrootkit is very good at
finding, the cracker created a .ek (the dot is important as
chkrootkit looks for hidden directories) directory which contained
the installation scripts. .ek may or may not be on your system but
each and every hidden directory (dot directory name) should be
looked into. If the cracker of your box possessed rudimentary Linux
skills they very well may have used a Cobalt like name - Cobalt's
have many hidden directories on them. Problem is the binaries the
cracker installed won't show you their hidden directories. Thus, at
the very least, install a fresh ls somewhere safe and use it and it
alone to hunt for clues.
4) If you've found one file from the root kit, check the
date for the file. It may be a valid install date and, if it is,
hunting down the rest becomes much easier.
5) I cannot over emphasize this enough... only install
replacements which were obtained from a trusted source. In this case
that means Cobalt. Truth is, the only viable choice for the average
Cobalt sysop is either doing a clean install from a factory fresh CD
or hiring an expert - and most every expert worth their salt will
back up the user data and do a full install from a factory fresh CD
so you may as well do it yourself and save yourself the bucks.