[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
- Subject: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
- From: Anthony <austservices@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue Feb 27 19:09:16 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Mon, 26 Feb 2001 elmer@xxxxxxxxxxxxxx wrote:
> On Tue, 27 Feb 2001, Roger Dunk wrote:
>
> } to use the restore CD. Furthermore, when you know what rootkit has been used
> } on your machine, you can usually find out exactly what has been affected and
> } replace the necessary files. I have cleaned several machines of the t0rn
> } rootkit, and haven't had any problems since, so I think it's definately
> } worth a try.
>
> This may be true for someone that knows what they are doing, but
> I've also noticed a few postings from people who claim to have been
> hacked again shortly after cleaning their server. They could has
> just as easily missed a backdoor. In situations such as this where
> the level of technical expertise is low suggesting anything other
> than the best way can and just might cause more problems than the
> right way of fixing it would have.
>
> The reality of the situation is this: unless a full and
> complete audit of the box is done by someone that really knows what
> they are doing there is no way way to be sure that all the backdoors
> have been found.
I would have to say even after a full audit and etc and the system is
secure running Named and smtpd and httpd ONLY all the Updates from Cobalt
and all should have been ok BUT the GUI say the Bind update is installed
and runnin yet you check and guess what your still running the original
BROKEN Named. and yes 9 days after the initial Hack they broke into NAMED
just through the fact of the Update saying ity worked and it did not.
I spent 2 days tring to get the new NAMED to work and all I got was
errors. So now my RaQ3 runs HTTPd and SMTP and POP3 and Thats it finshed.
All the other services are just to broken. If they want to use FTP they
need ASK me to start it and I will stop it after they have finshed.
I am not real happy with the spead of the updates so I will avoid using it
for anything other than needed.
Tired Techsupport
>
> I've only cleaned two boxes so the stats cannot be taken to
> the bank, but the results are clear. One box was easy to clean
> although the unhack.pl script would have missed the additional
> modified SSHD and the other box had so many tricks installed
> that re-installing from a CD was the only viable option even though
> recomending that they do so cost me a rather nice fee.
>
> I'm certainly not looking for an argument but I simply don't
> think that suggesting that someone who isn't comfortable and quite
> handy at the shell prompt can successfully unhack their server is
> something we ought to be doing.
>
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>