[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...

Subject: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
From: "Roger Dunk" <roger@xxxxxxxxx>
Date: Mon Feb 26 20:32:07 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

If you re-install the net-tools RPM package I mentioned, it will replace
your infected ifconfig (mine was infected too). You might have to use
'rpm -i --force packagename.rpm' or similar to get it to overwrite the
already installed package.

Cheers...
Roger

----- Original Message -----
From: "Cobalt Newbie" <mfahy@xxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Tuesday, February 27, 2001 2:41 PM
Subject: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...


>
> Thank you, Roger!
>
> Everything's just about where you said it would be, and in the process
I've
> found a bunch of the nasty scripts that are responsible for this mess. One
> glitch so far...
>
> Any idea what the checksum's SUPPOSED to be on ifconfig? chkrootkit is
> telling me it's infected, but I have no idea what it should be/where I
> might get a copy that will work on the RAQ3...
>
> I... am... so... tired...
>
>
>
>
> At 12:05 PM 2/27/2001 +1100, you wrote:
> >A search of the archives (or a direct look at
> >http://list.cobalt.com/pipermail/cobalt-users/2001-February/) should
provide
> >most of the answers.
> >
> >In short, the following will have to be done.
> >
> >Restore /etc/inetd.conf. This will probably involve removing the last two
or
> >three lines of the file. Any reference to /bin/sh or in.smdb etc should
be
> >removed.
> >
> >You'll want to grab the nettools RPM from ftp.cobaltnet.com
> >Full address is:
>
>ftp://anonymous@xxxxxxxxxxxxxxxxx/pub/products/raq3/RPMS/net-tools-1.52-2.i
3
> >86.rpm
> >
> >You should also grab the unhack.pl script that someone made up to replace
> >the compromised binaries (should be able to find address from archives).
> >
> >Also grab chkrootkit from www.chkrootkit.org and see what it finds.
> >
> >Ohh yeah, and remove /usr/sbin/init if it exists.
> >
> >You will probably also find the fake SSH running as nscd (/usr/sbin/nscd
or
> >similar).
> >
> >Of course, make sure that before you remove anything like the SSH server,
> >that you have another way of accessing a shell on the system!
> >
> >Cheers...
> >Roger
> >
> >----- Original Message -----
> >From: "Mike Fahy" <xtraprss@xxxxxxxxxxxxx>
> >To: <cobalt-users@xxxxxxxxxxxxxxx>
> >Sent: Thursday, April 05, 2001 8:53 AM
> >Subject: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
> >
> >
> > >
> > > You don't know HOW happy I am to hear that.  I'll pay the fortune and
wait
> > > the days to scrape the box IF I HAVE TO, but if there's any chance to
> >avoid
> > > this, I'd like to try first. You're right -- I'm nowhere near my
hacked
> >box
> > > (dedicated server), and with a jillion clients' counting on it to be
there
> > > 24/7, I'd like to keep downtime to a minimum.
> > >
> > > Reading through the t0rn literature, I'm convinced it's what I've got.
> > > Scanning the box from a remote location shows port 33568 returning a
> > > SSH-1.5-1.2.27 message)
> > >
> > > Any ideas what steps I should take? I'm all ears now. (Unfortunately,
so
> >is
> > > my machine...)
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > At 09:23 AM 2/27/2001 +1100, you wrote:
> > > >I don't necessarily agree that the *only* remedy is to use the
restore
> >CD.
> > > >Many people on this list seem to share your view, and if you have the
RAQ
> > > >unit sitting in front of you, all is well and good. However if you
> >co-locate
> > > >the Raq, and don't have physical access to it, things are a little
> >harder.
> > > >Firstly, the downtime while you have someone restore the system is
not
> >good.
> > > >Secondly the cost is somewhat prohibitive in some cases. Thirdly the
time
> > > >and effort in restoring all sites is quite significant (esp
considering
> >CMU
> > > >etc doesn't do a complete job). Many people have sucessfully cleaned
> >their
> > > >machines after being hacked, so I think it unwise to say the only
remedy
> >is
> > > >to use the restore CD. Furthermore, when you know what rootkit has
been
> >used
> > > >on your machine, you can usually find out exactly what has been
affected
> >and
> > > >replace the necessary files. I have cleaned several machines of the
t0rn
> > > >rootkit, and haven't had any problems since, so I think it's
definately
> > > >worth a try.
> > > >
> > > >Cheers...
> > > >Roger
> > > >
> > > >----- Original Message -----
> > > >From: "cowbridge" <cobalt@xxxxxxxxxxxxx>
> > > >To: <cobalt-users@xxxxxxxxxxxxxxx>
> > > >Sent: Tuesday, February 27, 2001 9:08 AM
> > > >Subject: RE: [cobalt-users] "Sort of" hacked?? Raq3 with some
problems...
> > > >
> > > >
> > > > > > Ok, checking my files against those found in other posts, I've
> > > >discovered
> > > > > > that while my login, ls, netstat,  ps, du and find commands seem
> > > > > > to be "new
> > > > > > and unproved," others appear untainted (checked via Md5
checksums)
> > > > > >
> > > > > > I also don't seem to have all the xlogin, ld.so.hash, crth.o,
etc
> >files,
> > > > > > BUT I have come across the directory (empty):
> > > > > >
> > > > > > usr/src/.puta
> > > > > >
> > > > > > This was mentioned by Rik Thomas in an earlier message (2/9).
What
> >else
> > > > > > should I be looking for?
> > > > > >
> > > > > > Should I replace my tainted files with those found in the
> >unhack.tar.gz
> > > > > > mentioned here earlier, or....?
> > > > >
> > > > > I'm afraid this is not sort of hacked, but definitley hacked. You
have
> >the
> > > > > t0rn rootkit.
> > > > >
> > > > > See http://www.sans.org/y2k/t0rn.htm for details.
> > > > >
> > > > > The only remedy is to use the Restore CD, I'm afraid.
> > > > >
> > > > > Good luck,
> > > > >
> > > > > Roger
> > > > >
> > > > > _______________________________________________
> > > > > cobalt-users mailing list
> > > > > cobalt-users@xxxxxxxxxxxxxxx
> > > > > To Subscribe or Unsubscribe, please go to:
> > > > > http://list.cobalt.com/mailman/listinfo/cobalt-users
> > > > >
> > > >
> > > >_______________________________________________
> > > >cobalt-users mailing list
> > > >cobalt-users@xxxxxxxxxxxxxxx
> > > >To Subscribe or Unsubscribe, please go to:
> > > >http://list.cobalt.com/mailman/listinfo/cobalt-users
> > >
> > > _______________________________________________
> > > cobalt-users mailing list
> > > cobalt-users@xxxxxxxxxxxxxxx
> > > To Subscribe or Unsubscribe, please go to:
> > > http://list.cobalt.com/mailman/listinfo/cobalt-users
> > >
> >
> >_______________________________________________
> >cobalt-users mailing list
> >cobalt-users@xxxxxxxxxxxxxxx
> >To Subscribe or Unsubscribe, please go to:
> >http://list.cobalt.com/mailman/listinfo/cobalt-users
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users

Follow-Ups:
- RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
  - From: Brian Watters

References:
- RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
  - From: cowbridge
- Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
  - From: Mike Fahy
- Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
  - From: Cobalt Newbie

Prev by Date: Re[2]: [cobalt-users] Enough is enough...
Next by Date: [cobalt-users] what ports to keep open?
Previous by thread: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
Next by thread: RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index