[cobalt-users] If you have been a victim

["Clark E. Morgan" <prlhkr@xxxxxxxxxxxxx>]

Alrighty then, I know not everyone's hacker herpes have exactly
resembled mine; but around midnight on Friday, most of my inetd
services (on my Raq3)stopped responding and with telnet among them;
and my box hosted remotely, my recourse was limited. My problem seems
to be at least temporarily resolved, here is what I did if anyone
finds it to be of any help. Bear in mind, I don't warrant any
part of this procedure lest the sue happy among you decide to come
after me, you can prescribe your own aspirin thank you very much.

1) I obtained and installed the SSH server from the cobalt packages
page here:
http://pkg.nl.cobalt.com/

There was also a client page; but I already had it on my local
linux box and it worked just fine. If you need a windows version
I've tested telneat:
http://telneat.lipetsk.ru/

and it seems to get the job done.

Using the above I was able to log in.

2) I browsed about for signs of hacker activity, checking filenames
and dates, password files, logs, the usual suspects, with no luck.
But inetd.conf had been emptied. I copied inetd.conf.master to
to the inetd.conf filename, sighup'ed inetd and appear to
have returned to normal functioning.

Now, to be fair, I may have voided every line of any cobalt warranty
I have so I immediately did a full MANUAL backup via ftp, mirroring
everything that a cobalt restore cd would destroy. I'm not sure I
went about this the best possible way - hell, I'm  not even sure
I was hacked at this point. But i suggest if you follow this course
of action that you make a good backup your first priority and catching
up on security and os update packages your second.

Good luck. My heart goes out to anyone who was hit by these little
hacker pricks this weekend. I know that sinking feeling all too
well. And thanks to Jeff Lasman who pointed out that inetd was
suspect in my case, very astute, and when you're right you are right.
------------------------------
Clark E. Morgan