Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...

[Mike Fahy <xtraprss@xxxxxxxxxxxxx>]

You don't know HOW happy I am to hear that.  I'll pay the fortune and wait 
the days to scrape the box IF I HAVE TO, but if there's any chance to avoid 
this, I'd like to try first. You're right -- I'm nowhere near my hacked box 
(dedicated server), and with a jillion clients' counting on it to be there 
24/7, I'd like to keep downtime to a minimum.

Reading through the t0rn literature, I'm convinced it's what I've got. 
Scanning the box from a remote location shows port 33568 returning a 
SSH-1.5-1.2.27 message)

Any ideas what steps I should take? I'm all ears now. (Unfortunately, so is 
my machine...)








At 09:23 AM 2/27/2001 +1100, you wrote:
> I don't necessarily agree that the *only* remedy is to use the restore CD.
> Many people on this list seem to share your view, and if you have the RAQ
> unit sitting in front of you, all is well and good. However if you co-locate
> the Raq, and don't have physical access to it, things are a little harder.
> Firstly, the downtime while you have someone restore the system is not good.
> Secondly the cost is somewhat prohibitive in some cases. Thirdly the time
> and effort in restoring all sites is quite significant (esp considering CMU
> etc doesn't do a complete job). Many people have sucessfully cleaned their
> machines after being hacked, so I think it unwise to say the only remedy is
> to use the restore CD. Furthermore, when you know what rootkit has been used
> on your machine, you can usually find out exactly what has been affected and
> replace the necessary files. I have cleaned several machines of the t0rn
> rootkit, and haven't had any problems since, so I think it's definately
> worth a try.
>
> Cheers...
> Roger
>
> ----- Original Message -----
> From: "cowbridge" <cobalt@xxxxxxxxxxxxx>
> To: <cobalt-users@xxxxxxxxxxxxxxx>
> Sent: Tuesday, February 27, 2001 9:08 AM
> Subject: RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
>
>
> > > Ok, checking my files against those found in other posts, I've
> discovered
> > > that while my login, ls, netstat,  ps, du and find commands seem
> > > to be "new
> > > and unproved," others appear untainted (checked via Md5 checksums)
> > >
> > > I also don't seem to have all the xlogin, ld.so.hash, crth.o, etc files,
> > > BUT I have come across the directory (empty):
> > >
> > > usr/src/.puta
> > >
> > > This was mentioned by Rik Thomas in an earlier message (2/9). What else
> > > should I be looking for?
> > >
> > > Should I replace my tainted files with those found in the unhack.tar.gz
> > > mentioned here earlier, or....?
> >
> > I'm afraid this is not sort of hacked, but definitley hacked. You have the
> > t0rn rootkit.
> >
> > See http://www.sans.org/y2k/t0rn.htm for details.
> >
> > The only remedy is to use the Restore CD, I'm afraid.
> >
> > Good luck,
> >
> > Roger
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To Subscribe or Unsubscribe, please go to:
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users