[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] RE: hacked raq

On Thu, 22 Feb 2001, Carrie Bartkowiak wrote:

> > > My ISP just called and had me telnet in, su to root...
> 
> I'm confused.
> With the majority of the haqdraqs (new word - like it?) around here, su'ing
> to root was impossible. Login through telnet was impossible.
> 
> Is this just differences in raqhaqrs (another new word) and their methods,
> or are some people doing something that other people aren't doing - and
> thereby restoring su privileges?

Yes, or more precicely, a difference in the quality of the rootkits being
used, as a general rule a 'good' rootkit is one that minimizes the
evidence of it's having been installed, this includes allowinf for example
normal logins to work so you don't suspect anything, and not having cron
mailing you messages every 5 minutes complaining about some odd error...

As a general rule, it's much better to get getting loads of strange errors
and such from the machine, at least you know it's sick, and chances are
the kit used wasn't designed very well, and/or wasn't used by someone
skillfull. The worse compromises are the ones that people don't even know
they have yet...And i suspect at least 2 or 3 of the recent 'i got hacked'
messages i've seen here are from machines that in fact got compromised
some time ago and noone noticed till they got paranoid from all the list
messages and went looking for odd things...

The sad thing is how many people are asking for replacement
binarys...which tells me they don't have complete backups of their
machines to get them from...It's so easy to say 'i should have backed up
my machine' *after* you need the data....

(It would also be nice if cobalt made some of the more critical binaries
available on their ftp site somewhere in non-packaged form or as a /bin
repair package, but i suppose they would get less consulting work that way
-/

gsh