[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...

Subject: RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
From: "Brian Watters" <brwatters@xxxxxxxxxxx>
Date: Wed Feb 28 05:11:03 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

In root I can not get this to install .. says that netstat will not delete
.. unable to unlink .. HELP!

Brian


-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Cobalt Newbie
Sent: Monday, February 26, 2001 8:48 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some
problems...



Bingo. Thanks again. The force did the trick.

Now maybe I'll sit back and tremble waiting to see what happens next.

Thanks for all the help. It's been a LONG day.








At 03:21 PM 2/27/2001 +1100, you wrote:
>If you re-install the net-tools RPM package I mentioned, it will replace
>your infected ifconfig (mine was infected too). You might have to use
>'rpm -i --force packagename.rpm' or similar to get it to overwrite the
>already installed package.
>
>Cheers...
>Roger
>
>----- Original Message -----
>From: "Cobalt Newbie" <mfahy@xxxxxxxxx>
>To: <cobalt-users@xxxxxxxxxxxxxxx>
>Sent: Tuesday, February 27, 2001 2:41 PM
>Subject: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
>
>
> >
> > Thank you, Roger!
> >
> > Everything's just about where you said it would be, and in the process
>I've
> > found a bunch of the nasty scripts that are responsible for this mess.
One
> > glitch so far...
> >
> > Any idea what the checksum's SUPPOSED to be on ifconfig? chkrootkit is
> > telling me it's infected, but I have no idea what it should be/where I
> > might get a copy that will work on the RAQ3...
> >
> > I... am... so... tired...
> >
> >
> >
> >
> > At 12:05 PM 2/27/2001 +1100, you wrote:
> > >A search of the archives (or a direct look at
> > >http://list.cobalt.com/pipermail/cobalt-users/2001-February/) should
>provide
> > >most of the answers.
> > >
> > >In short, the following will have to be done.
> > >
> > >Restore /etc/inetd.conf. This will probably involve removing the last
two
>or
> > >three lines of the file. Any reference to /bin/sh or in.smdb etc should
>be
> > >removed.
> > >
> > >You'll want to grab the nettools RPM from ftp.cobaltnet.com
> > >Full address is:
> >
>
>ftp://anonymous@xxxxxxxxxxxxxxxxx/pub/products/raq3/RPMS/net-tools-1.52-2.i
>3
> > >86.rpm
> > >
> > >You should also grab the unhack.pl script that someone made up to
replace
> > >the compromised binaries (should be able to find address from
archives).
> > >
> > >Also grab chkrootkit from www.chkrootkit.org and see what it finds.
> > >
> > >Ohh yeah, and remove /usr/sbin/init if it exists.
> > >
> > >You will probably also find the fake SSH running as nscd
(/usr/sbin/nscd
>or
> > >similar).
> > >
> > >Of course, make sure that before you remove anything like the SSH
server,
> > >that you have another way of accessing a shell on the system!
> > >
> > >Cheers...
> > >Roger
> > >
> > >----- Original Message -----
> > >From: "Mike Fahy" <xtraprss@xxxxxxxxxxxxx>
> > >To: <cobalt-users@xxxxxxxxxxxxxxx>
> > >Sent: Thursday, April 05, 2001 8:53 AM
> > >Subject: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some
problems...
> > >
> > >
> > > >
> > > > You don't know HOW happy I am to hear that.  I'll pay the fortune
and
>wait
> > > > the days to scrape the box IF I HAVE TO, but if there's any chance
to
> > >avoid
> > > > this, I'd like to try first. You're right -- I'm nowhere near my
>hacked
> > >box
> > > > (dedicated server), and with a jillion clients' counting on it to be
>there
> > > > 24/7, I'd like to keep downtime to a minimum.
> > > >
> > > > Reading through the t0rn literature, I'm convinced it's what I've
got.
> > > > Scanning the box from a remote location shows port 33568 returning a
> > > > SSH-1.5-1.2.27 message)
> > > >
> > > > Any ideas what steps I should take? I'm all ears now.
(Unfortunately,
>so
> > >is
> > > > my machine...)
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > At 09:23 AM 2/27/2001 +1100, you wrote:
> > > > >I don't necessarily agree that the *only* remedy is to use the
>restore
> > >CD.
> > > > >Many people on this list seem to share your view, and if you have
the
>RAQ
> > > > >unit sitting in front of you, all is well and good. However if you
> > >co-locate
> > > > >the Raq, and don't have physical access to it, things are a little
> > >harder.
> > > > >Firstly, the downtime while you have someone restore the system is
>not
> > >good.
> > > > >Secondly the cost is somewhat prohibitive in some cases. Thirdly
the
>time
> > > > >and effort in restoring all sites is quite significant (esp
>considering
> > >CMU
> > > > >etc doesn't do a complete job). Many people have sucessfully
cleaned
> > >their
> > > > >machines after being hacked, so I think it unwise to say the only
>remedy
> > >is
> > > > >to use the restore CD. Furthermore, when you know what rootkit has
>been
> > >used
> > > > >on your machine, you can usually find out exactly what has been
>affected
> > >and
> > > > >replace the necessary files. I have cleaned several machines of the
>t0rn
> > > > >rootkit, and haven't had any problems since, so I think it's
>definately
> > > > >worth a try.
> > > > >
> > > > >Cheers...
> > > > >Roger
> > > > >
> > > > >----- Original Message -----
> > > > >From: "cowbridge" <cobalt@xxxxxxxxxxxxx>
> > > > >To: <cobalt-users@xxxxxxxxxxxxxxx>
> > > > >Sent: Tuesday, February 27, 2001 9:08 AM
> > > > >Subject: RE: [cobalt-users] "Sort of" hacked?? Raq3 with some
>problems...
> > > > >
> > > > >
> > > > > > > Ok, checking my files against those found in other posts, I've
> > > > >discovered
> > > > > > > that while my login, ls, netstat,  ps, du and find commands
seem
> > > > > > > to be "new
> > > > > > > and unproved," others appear untainted (checked via Md5
>checksums)
> > > > > > >
> > > > > > > I also don't seem to have all the xlogin, ld.so.hash, crth.o,
>etc
> > >files,
> > > > > > > BUT I have come across the directory (empty):
> > > > > > >
> > > > > > > usr/src/.puta
> > > > > > >
> > > > > > > This was mentioned by Rik Thomas in an earlier message (2/9).
>What
> > >else
> > > > > > > should I be looking for?
> > > > > > >
> > > > > > > Should I replace my tainted files with those found in the
> > >unhack.tar.gz
> > > > > > > mentioned here earlier, or....?
> > > > > >
> > > > > > I'm afraid this is not sort of hacked, but definitley hacked.
You
>have
> > >the
> > > > > > t0rn rootkit.
> > > > > >
> > > > > > See http://www.sans.org/y2k/t0rn.htm for details.
> > > > > >
> > > > > > The only remedy is to use the Restore CD, I'm afraid.
> > > > > >
> > > > > > Good luck,
> > > > > >
> > > > > > Roger
> > > > > >
> > > > > > _______________________________________________
> > > > > > cobalt-users mailing list
> > > > > > cobalt-users@xxxxxxxxxxxxxxx
> > > > > > To Subscribe or Unsubscribe, please go to:
> > > > > > http://list.cobalt.com/mailman/listinfo/cobalt-users
> > > > > >
> > > > >
> > > > >_______________________________________________
> > > > >cobalt-users mailing list
> > > > >cobalt-users@xxxxxxxxxxxxxxx
> > > > >To Subscribe or Unsubscribe, please go to:
> > > > >http://list.cobalt.com/mailman/listinfo/cobalt-users
> > > >
> > > > _______________________________________________
> > > > cobalt-users mailing list
> > > > cobalt-users@xxxxxxxxxxxxxxx
> > > > To Subscribe or Unsubscribe, please go to:
> > > > http://list.cobalt.com/mailman/listinfo/cobalt-users
> > > >
> > >
> > >_______________________________________________
> > >cobalt-users mailing list
> > >cobalt-users@xxxxxxxxxxxxxxx
> > >To Subscribe or Unsubscribe, please go to:
> > >http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To Subscribe or Unsubscribe, please go to:
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>_______________________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To Subscribe or Unsubscribe, please go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

Follow-Ups:
- Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
  - From: Roger Dunk

References:
- Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
  - From: Cobalt Newbie

Prev by Date: RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
Next by Date: Re: [cobalt-users] RaQ2
Previous by thread: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
Next by thread: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index