[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] RE: Hacked RAQ3 port 514???
- Subject: [cobalt-users] RE: Hacked RAQ3 port 514???
- From: Johan-Kristian Wold <jkwold@xxxxxxxxxxx>
- Date: Tue Feb 27 23:07:00 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Biggest problem I have is that I cannot telnet to the box,
ALL usernames and passwords are declined!!! Console does not
work either. So I can not do much with this box!
What you can do, in case you don't have any backups or the like, is
to set up a Linux machine, rip out the cobalts drive and mount it in
the linux machine. Make sure that root on the linux machine doesn't
have "." in the path (prevents root from accidentally running stuff
in the current dir). Now you can browse through the drive, do backups
and such. I believe you can find something in the list archives on
how to do this.
In case you _do_ have current backups, your safest bet is to
completely restore the box from CD, apply all patches, add intrusion
detection/prevention software (see below) , and finally restore web
sites and mail (and generally nothing else...).
Until you're reasonably sure you've got everything patched up,
shutting down all other services than what you need (web, mail, bind
(if you really want to)) would be a good idea - at least until the
hacker frenzy cools down a bit.
If you have decide to restore from CD, don't take anything executable
(cgis, scripts or binaries) that you've added to the box from the
backups. Obtain new, fresh versions of them from wherever you got 'em.
And, yes - a proper firewall would be nice, too...
See the list archives to find stuff on ipchains, portsentry, tripwire etc.
Oh - you can find some helpful stuff for recovering at CERT
<http://www.cert.org/nav/recovering.html> Read up :^)
Good luck
Johan-Kr.
--
Johan-Kristian Wold, M.Sc. |
Computer systems administrator | Recursive: Adj. See recursive.
Nor-Trykk Narvik AS |
jkwold@xxxxxxxxxxx | SAM007HM02