Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...

[Cobalt Newbie <mfahy@xxxxxxxxx>]

Bingo. Thanks again. The force did the trick.

Now maybe I'll sit back and tremble waiting to see what happens next.

Thanks for all the help. It's been a LONG day.








At 03:21 PM 2/27/2001 +1100, you wrote:
> If you re-install the net-tools RPM package I mentioned, it will replace
> your infected ifconfig (mine was infected too). You might have to use
> 'rpm -i --force packagename.rpm' or similar to get it to overwrite the
> already installed package.
>
> Cheers...
> Roger
>
> ----- Original Message -----
> From: "Cobalt Newbie" <mfahy@xxxxxxxxx>
> To: <cobalt-users@xxxxxxxxxxxxxxx>
> Sent: Tuesday, February 27, 2001 2:41 PM
> Subject: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
>
>
> >
> > Thank you, Roger!
> >
> > Everything's just about where you said it would be, and in the process
> I've
> > found a bunch of the nasty scripts that are responsible for this mess. One
> > glitch so far...
> >
> > Any idea what the checksum's SUPPOSED to be on ifconfig? chkrootkit is
> > telling me it's infected, but I have no idea what it should be/where I
> > might get a copy that will work on the RAQ3...
> >
> > I... am... so... tired...
> >
> >
> >
> >
> > At 12:05 PM 2/27/2001 +1100, you wrote:
> > >A search of the archives (or a direct look at
> > >http://list.cobalt.com/pipermail/cobalt-users/2001-February/) should
> provide
> > >most of the answers.
> > >
> > >In short, the following will have to be done.
> > >
> > >Restore /etc/inetd.conf. This will probably involve removing the last two
> or
> > >three lines of the file. Any reference to /bin/sh or in.smdb etc should
> be
> > >removed.
> > >
> > >You'll want to grab the nettools RPM from ftp.cobaltnet.com
> > >Full address is:
> >
> >ftp://anonymous@xxxxxxxxxxxxxxxxx/pub/products/raq3/RPMS/net-tools-1.52-2.i
> 3
> > >86.rpm
> > >
> > >You should also grab the unhack.pl script that someone made up to replace
> > >the compromised binaries (should be able to find address from archives).
> > >
> > >Also grab chkrootkit from www.chkrootkit.org and see what it finds.
> > >
> > >Ohh yeah, and remove /usr/sbin/init if it exists.
> > >
> > >You will probably also find the fake SSH running as nscd (/usr/sbin/nscd
> or
> > >similar).
> > >
> > >Of course, make sure that before you remove anything like the SSH server,
> > >that you have another way of accessing a shell on the system!
> > >
> > >Cheers...
> > >Roger
> > >
> > >----- Original Message -----
> > >From: "Mike Fahy" <xtraprss@xxxxxxxxxxxxx>
> > >To: <cobalt-users@xxxxxxxxxxxxxxx>
> > >Sent: Thursday, April 05, 2001 8:53 AM
> > >Subject: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
> > >
> > >
> > > >
> > > > You don't know HOW happy I am to hear that.  I'll pay the fortune and
> wait
> > > > the days to scrape the box IF I HAVE TO, but if there's any chance to
> > >avoid
> > > > this, I'd like to try first. You're right -- I'm nowhere near my
> hacked
> > >box
> > > > (dedicated server), and with a jillion clients' counting on it to be
> there
> > > > 24/7, I'd like to keep downtime to a minimum.
> > > >
> > > > Reading through the t0rn literature, I'm convinced it's what I've got.
> > > > Scanning the box from a remote location shows port 33568 returning a
> > > > SSH-1.5-1.2.27 message)
> > > >
> > > > Any ideas what steps I should take? I'm all ears now. (Unfortunately,
> so
> > >is
> > > > my machine...)
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > At 09:23 AM 2/27/2001 +1100, you wrote:
> > > > >I don't necessarily agree that the *only* remedy is to use the
> restore
> > >CD.
> > > > >Many people on this list seem to share your view, and if you have the
> RAQ
> > > > >unit sitting in front of you, all is well and good. However if you
> > >co-locate
> > > > >the Raq, and don't have physical access to it, things are a little
> > >harder.
> > > > >Firstly, the downtime while you have someone restore the system is
> not
> > >good.
> > > > >Secondly the cost is somewhat prohibitive in some cases. Thirdly the
> time
> > > > >and effort in restoring all sites is quite significant (esp
> considering
> > >CMU
> > > > >etc doesn't do a complete job). Many people have sucessfully cleaned
> > >their
> > > > >machines after being hacked, so I think it unwise to say the only
> remedy
> > >is
> > > > >to use the restore CD. Furthermore, when you know what rootkit has
> been
> > >used
> > > > >on your machine, you can usually find out exactly what has been
> affected
> > >and
> > > > >replace the necessary files. I have cleaned several machines of the
> t0rn
> > > > >rootkit, and haven't had any problems since, so I think it's
> definately
> > > > >worth a try.
> > > > >
> > > > >Cheers...
> > > > >Roger
> > > > >
> > > > >----- Original Message -----
> > > > >From: "cowbridge" <cobalt@xxxxxxxxxxxxx>
> > > > >To: <cobalt-users@xxxxxxxxxxxxxxx>
> > > > >Sent: Tuesday, February 27, 2001 9:08 AM
> > > > >Subject: RE: [cobalt-users] "Sort of" hacked?? Raq3 with some
> problems...
> > > > >
> > > > >
> > > > > > > Ok, checking my files against those found in other posts, I've
> > > > >discovered
> > > > > > > that while my login, ls, netstat,  ps, du and find commands seem
> > > > > > > to be "new
> > > > > > > and unproved," others appear untainted (checked via Md5
> checksums)
> > > > > > >
> > > > > > > I also don't seem to have all the xlogin, ld.so.hash, crth.o,
> etc
> > >files,
> > > > > > > BUT I have come across the directory (empty):
> > > > > > >
> > > > > > > usr/src/.puta
> > > > > > >
> > > > > > > This was mentioned by Rik Thomas in an earlier message (2/9).
> What
> > >else
> > > > > > > should I be looking for?
> > > > > > >
> > > > > > > Should I replace my tainted files with those found in the
> > >unhack.tar.gz
> > > > > > > mentioned here earlier, or....?
> > > > > >
> > > > > > I'm afraid this is not sort of hacked, but definitley hacked. You
> have
> > >the
> > > > > > t0rn rootkit.
> > > > > >
> > > > > > See http://www.sans.org/y2k/t0rn.htm for details.
> > > > > >
> > > > > > The only remedy is to use the Restore CD, I'm afraid.
> > > > > >
> > > > > > Good luck,
> > > > > >
> > > > > > Roger
> > > > > >
> > > > > > _______________________________________________
> > > > > > cobalt-users mailing list
> > > > > > cobalt-users@xxxxxxxxxxxxxxx
> > > > > > To Subscribe or Unsubscribe, please go to:
> > > > > > http://list.cobalt.com/mailman/listinfo/cobalt-users
> > > > > >
> > > > >
> > > > >_______________________________________________
> > > > >cobalt-users mailing list
> > > > >cobalt-users@xxxxxxxxxxxxxxx
> > > > >To Subscribe or Unsubscribe, please go to:
> > > > >http://list.cobalt.com/mailman/listinfo/cobalt-users
> > > >
> > > > _______________________________________________
> > > > cobalt-users mailing list
> > > > cobalt-users@xxxxxxxxxxxxxxx
> > > > To Subscribe or Unsubscribe, please go to:
> > > > http://list.cobalt.com/mailman/listinfo/cobalt-users
> > > >
> > >
> > >_______________________________________________
> > >cobalt-users mailing list
> > >cobalt-users@xxxxxxxxxxxxxxx
> > >To Subscribe or Unsubscribe, please go to:
> > >http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To Subscribe or Unsubscribe, please go to:
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users