Re: [cobalt-users] RE: hacked raq

[elmer@xxxxxxxxxxxxxx]

On Thu, 22 Feb 2001, Carrie Bartkowiak wrote:

} Is this just differences in raqhaqrs (another new word) and their methods,
} or are some people doing something that other people aren't doing - and
} thereby restoring su privileges?

Well, here's what we've been doing - not that it will help anyone
who can't su...

	We install OpenSSH on all our servers but we install it
non-standardly... Just as the crackers install there stuff in
carefully hidden directories, so we install OpenSSH. I even go so
far as to rename the binary so that it isn't as easily noticed and
so that we can automatically restart it without attracting to much
attention.

	While we've so far avoided being exploited, I help out a
competitor from time-to-time who had a few servers that were hacked
and OpenSSH made regaining control of the servers pretty easy.

	Another trick is to access the server as the cracker would.
While I am not going to post the details here, nor will I answer any
private requests, most of the root kits I've stumbled upon had fixed
passwords that can be found by anyone who does their homework.

	There is a benefit to not being able to get root though. I'm
starting to find more and more hidden tricks on the cracked servers
I've been looking at. I worked one today that had a hidden and
highly customized SSH of sorts running on it which I wouldn't have
found if the two backdoors I easily found were not so dang easy to
find. If it seems too good to be true... so l looked further and
found something named ndcs in /usr/sbin which spilled it's guts when
kicked with a -v tag. All total I found 4 ways into the box besides
those that one would normally expect.

	At this point in time my opinion is that anyone who doesn't
do a full restore from a CD is sitting on a cracked box that will
can be accessed by the cracker when they so desire.

	Thus not being able so su just may save you from further
problems.