[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] hacked raq

Subject: Re: [cobalt-users] hacked raq
From: elmer@xxxxxxxxxxxxxx
Date: Sat Feb 24 08:05:02 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Wed, 21 Feb 2001, Randy Davis wrote:

} I tried to re-install via rpm the util-linux, but the message I get from the
} RAQ3 is that it can't rename or move /bin/login.  Any ideas, short of total
} restore?  Thanks!

	Savy crackers set critical binaries immutable in order to
make life hard on the servers owner. man chattr explains how to do
this. Undoing it should be as easy as typing chattr -i /bin/logn you
might also have to do a chattr -a /bin/login

	The bright side is that this may be indicative of a better
class of cracker. The downside is that if the file was not made
immutable by a script (ie, the cracker didn't know their business),
odds are that you are not going to be able to make this box safe
without a full restore.

	I regained control of an RAQ3 just a few moments ago upon
which login was set immutable. Found two seperate backdoors, both of
which were so deeply buried in a long series of hidden directories
that I had trouble getting at them after I found them. Us ps aux to
look for processes running as /something but for which the daemon
cannot be found in /. Then do a locate and get rid of them -
quickly.

	Between you and me, if you find this kind of thing consider
doing a full restore from CD on a new drive or upon a drive that's
been reformatted by someone who knows what they are doing.

References:
- [cobalt-users] hacked raq
  - From: Randy Davis

Prev by Date: Re: [cobalt-users] Chili!Soft ASP Multiple Vulnerabilities
Next by Date: [cobalt-users] rpm
Previous by thread: Re: [cobalt-users] hacked raq
Next by thread: FW: [cobalt-users] hacked raq

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index