[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
- Subject: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
- From: "Roger Dunk" <roger@xxxxxxxxx>
- Date: Mon Feb 26 17:11:08 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
A search of the archives (or a direct look at
http://list.cobalt.com/pipermail/cobalt-users/2001-February/) should provide
most of the answers.
In short, the following will have to be done.
Restore /etc/inetd.conf. This will probably involve removing the last two or
three lines of the file. Any reference to /bin/sh or in.smdb etc should be
removed.
You'll want to grab the nettools RPM from ftp.cobaltnet.com
Full address is:
ftp://anonymous@xxxxxxxxxxxxxxxxx/pub/products/raq3/RPMS/net-tools-1.52-2.i3
86.rpm
You should also grab the unhack.pl script that someone made up to replace
the compromised binaries (should be able to find address from archives).
Also grab chkrootkit from www.chkrootkit.org and see what it finds.
Ohh yeah, and remove /usr/sbin/init if it exists.
You will probably also find the fake SSH running as nscd (/usr/sbin/nscd or
similar).
Of course, make sure that before you remove anything like the SSH server,
that you have another way of accessing a shell on the system!
Cheers...
Roger
----- Original Message -----
From: "Mike Fahy" <xtraprss@xxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Thursday, April 05, 2001 8:53 AM
Subject: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
>
> You don't know HOW happy I am to hear that. I'll pay the fortune and wait
> the days to scrape the box IF I HAVE TO, but if there's any chance to
avoid
> this, I'd like to try first. You're right -- I'm nowhere near my hacked
box
> (dedicated server), and with a jillion clients' counting on it to be there
> 24/7, I'd like to keep downtime to a minimum.
>
> Reading through the t0rn literature, I'm convinced it's what I've got.
> Scanning the box from a remote location shows port 33568 returning a
> SSH-1.5-1.2.27 message)
>
> Any ideas what steps I should take? I'm all ears now. (Unfortunately, so
is
> my machine...)
>
>
>
>
>
>
>
>
> At 09:23 AM 2/27/2001 +1100, you wrote:
> >I don't necessarily agree that the *only* remedy is to use the restore
CD.
> >Many people on this list seem to share your view, and if you have the RAQ
> >unit sitting in front of you, all is well and good. However if you
co-locate
> >the Raq, and don't have physical access to it, things are a little
harder.
> >Firstly, the downtime while you have someone restore the system is not
good.
> >Secondly the cost is somewhat prohibitive in some cases. Thirdly the time
> >and effort in restoring all sites is quite significant (esp considering
CMU
> >etc doesn't do a complete job). Many people have sucessfully cleaned
their
> >machines after being hacked, so I think it unwise to say the only remedy
is
> >to use the restore CD. Furthermore, when you know what rootkit has been
used
> >on your machine, you can usually find out exactly what has been affected
and
> >replace the necessary files. I have cleaned several machines of the t0rn
> >rootkit, and haven't had any problems since, so I think it's definately
> >worth a try.
> >
> >Cheers...
> >Roger
> >
> >----- Original Message -----
> >From: "cowbridge" <cobalt@xxxxxxxxxxxxx>
> >To: <cobalt-users@xxxxxxxxxxxxxxx>
> >Sent: Tuesday, February 27, 2001 9:08 AM
> >Subject: RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
> >
> >
> > > > Ok, checking my files against those found in other posts, I've
> >discovered
> > > > that while my login, ls, netstat, ps, du and find commands seem
> > > > to be "new
> > > > and unproved," others appear untainted (checked via Md5 checksums)
> > > >
> > > > I also don't seem to have all the xlogin, ld.so.hash, crth.o, etc
files,
> > > > BUT I have come across the directory (empty):
> > > >
> > > > usr/src/.puta
> > > >
> > > > This was mentioned by Rik Thomas in an earlier message (2/9). What
else
> > > > should I be looking for?
> > > >
> > > > Should I replace my tainted files with those found in the
unhack.tar.gz
> > > > mentioned here earlier, or....?
> > >
> > > I'm afraid this is not sort of hacked, but definitley hacked. You have
the
> > > t0rn rootkit.
> > >
> > > See http://www.sans.org/y2k/t0rn.htm for details.
> > >
> > > The only remedy is to use the Restore CD, I'm afraid.
> > >
> > > Good luck,
> > >
> > > Roger
> > >
> > > _______________________________________________
> > > cobalt-users mailing list
> > > cobalt-users@xxxxxxxxxxxxxxx
> > > To Subscribe or Unsubscribe, please go to:
> > > http://list.cobalt.com/mailman/listinfo/cobalt-users
> > >
> >
> >_______________________________________________
> >cobalt-users mailing list
> >cobalt-users@xxxxxxxxxxxxxxx
> >To Subscribe or Unsubscribe, please go to:
> >http://list.cobalt.com/mailman/listinfo/cobalt-users
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>