[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] RaQ3: Hacked again even with all the latest updates installed
- Subject: Re: [cobalt-users] RaQ3: Hacked again even with all the latest updates installed
- From: elmer@xxxxxxxxxxxxxx
- Date: Sat Feb 24 10:12:32 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Fri, 23 Feb 2001, Dave wrote:
} Well folks, the crackers got in again. We had all the latest
} patches from cobalt installed, and this time they wiped out
} most of our clients sites, changed my admin password, etc.
} I am currently waiting for our provider to reset my passwords.
} Anyone have any ideas on how they got in this time?
Did you restore the machine from CD? If not you probably
missed a backdoor that was installed by who ever cracked the machine
in the first place. While auditing a cracked box just last week I
found 4 entirely seperate backdoors into the machine - the slickest
one being a modified SSHD which only ran during the scheduled log
rotate. It's important to realize that no one short of a security
expert can insure that they possess control of the box unless they
restore the machine from CD and most security expects who are
capable of regaining control of the machine without doing a full
restore would want to do one anyway - just to be sure.
On the other hand, if you did a full restore and did not
change all the passwords on the server odds are that the cracker
just used one the passwords they sniffed while having control of the
box and used it to walk right back in.
Last, but not least, is the admin/root password secure? The
site admin for the Cobalt mentioned above was using a simple, easily
guessed 4 letter word as a password. While on the box I managed to
get root on MySQL by simply using his 'hacker' name as the password.
Elmer@xxxxxxxxxxxxxx