[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Unhack Script..?
- Subject: Re: [cobalt-users] Unhack Script..?
- From: elmer@xxxxxxxxxxxxxx
- Date: Mon Feb 26 13:25:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Fri, 16 Feb 2001, Arsalan Mahmud wrote:
} Looks like our server is pretty much hacked the same way as yours was,
} please could you give us some details and what to look for ?
The box was not our's. Worse yet, perhaps, I'm an old fart and the
mind isn't what it used to be... I should have kept notes but I
wasn't planning to do more of these nor was I planning to post the
kind of message I posted.
Make sure your sshd is a good one. The unhack script looks
for ssh2d. On the server I worked a new sshd was installed. We
wouldn't have even noticed this had we not installed the original
sshd in a unusual hidden directory. I don't recall where it was...
but I also found a .ek directory in which the setup scripts for the
hack were being stored. A daemon named 'la' was also running - the
location of the pid was the only tip that something was amiss as it
ended up in both the / directory and in /var/run.
I had logged onto the box a few days ago and noticed
something amiss with SSHD - the keys didn't match. At that time I
killed the daemon and did some looking and tweaking. Another tech
was also working some unrelated networking problems so my first
thought was that he had made some changes even though I thought him
to be working on the switch on the bandwidth manager rather than on
the servers in the owner's cage. Thus, I didn't get too alarmed at
the time. It was later that same day when the server's owner
found that login was missing and decided his box had more than
likely been cracked. Now I think I inadvertantly ended up dumping
the cacker in the middle of the rootkit install. That resulted in
some very obvious clues that made following the trail a bit easier -
much of the cracker stuff was chown 1000.wheel
Regardless of what some "experts" may say, the reality of
the situation is that the only sure way to recover from a hack is
with a fresh install using a trusted source. I mean no one any
insult of any type, but if you are doing it yourself and you have to
ask for help, you have to rely on scripts and the like to audit your
server, or you haven't been around long enough to know who knows and
who is blowing smoke, then your only viable option is a full install
from a factory fresh CD which came into your possession direct from
Cobalt.
The bottom line with unhack.pl is that you're installing
binaries that may or may not be safe to use. I'm not implying that
the script's author's intentions were not and are not honorable or
that the daemons are not safe to run. Fact is they look fine to
me. But when it comes to security paranoia is a valuable attribute:
no one - absolutely no one who really knows their business is going
to install critical daemons, such as sendmail, bind, etc., on a
production server that were supplied by in this manner.
Sorry, and feel free to flame me, but that really is all
there is to it.
Peace be with you,
Brent
Brent Sims
WebOkay Internet Services
http://www.WebOkay.net
Brent@xxxxxxxxxxx
(719) 595-1427 (Voice/Fax)