[cobalt-users] RE: Bind Attack

["Dale Peck" <dale@xxxxxxxxxxxxxxxxx>]

We do have physical access but I have never successfully hooked up a machine
to the serial port - I'll try again in the morning.





-----Original Message-----
From: Eric Welling [mailto:eric@xxxxxxxxxxx]
Sent: Thursday, February 15, 2001 7:58 AM
To: Dale Peck
Subject: Re: Bind Attack


Yes, It was a bind attack, they (singular), replaced ps, login, ifconfig, to
launch rootkit attacks. I have salvaged two machines, but two are alas
un-reachable. I guess I will have to ask the ISP to send back to Cobalt for
re-loading (downcast smile). I have not been able, so far ... to get a
shell.
Will keep trying though ...

I am sorry that this is not too much information for you, but if you have
access, physical, to the machines than maybe you could replace the infected
files and rebuild. I would like to hear any progress.

Dale Peck wrote:

> We lost telnet and ftp on one of our RaQ3s and are still trying to
identify
> the problem and it's solution.  Have you found anything yet?
>
> -------------
>
> Date: Thu, 15 Feb 2001 16:49:15 -0800
> From: eric <eric@xxxxxxxxxxx>
> To: Cobalt Users List <cobalt-users@xxxxxxxxxxxxxxx>
> Subject: [cobalt-users] Question
> Reply-To: cobalt-users@xxxxxxxxxxxxxxx
>
> This is about one of my RaQ3 systems. I believe that I have been the
> subject of a bind attack, maybe, maybe not. But anyway, I lost telnet
> access to the box, still retaining web access. So in my lust for
> resolution, I updated the system software via ftp. Now telnet just gives
> me a authentication error and does not give me a shell. Does anybody
> have any ideas? By the way, I still have ftp, that is how I got the
> logs.
>
> Thanks,
>
> Eric Welling