[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...

Subject: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
From: "Roger Dunk" <roger@xxxxxxxxx>
Date: Thu Mar 1 12:18:02 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
The file is probably immutable. Run 'chattr -i netstat' as root to remove
the attribute, and try again.

Cheers...
Roger

----- Original Message -----
From: "Brian Watters" <brwatters@xxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Tuesday, February 27, 2001 4:03 PM
Subject: RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...


> In root I can not get this to install .. says that netstat will not delete
> .. unable to unlink .. HELP!
>
> Brian
>
>
> -----Original Message-----
> From: cobalt-users-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Cobalt Newbie
> Sent: Monday, February 26, 2001 8:48 PM
> To: cobalt-users@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some
> problems...
>
>
>
> Bingo. Thanks again. The force did the trick.
>
> Now maybe I'll sit back and tremble waiting to see what happens next.
>
> Thanks for all the help. It's been a LONG day.
>
>
>
>
>
>
>
>
> At 03:21 PM 2/27/2001 +1100, you wrote:
> >If you re-install the net-tools RPM package I mentioned, it will replace
> >your infected ifconfig (mine was infected too). You might have to use
> >'rpm -i --force packagename.rpm' or similar to get it to overwrite the
> >already installed package.
> >
> >Cheers...
> >Roger
> >
> >----- Original Message -----
> >From: "Cobalt Newbie" <mfahy@xxxxxxxxx>
> >To: <cobalt-users@xxxxxxxxxxxxxxx>
> >Sent: Tuesday, February 27, 2001 2:41 PM
> >Subject: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
> >
> >
> > >
> > > Thank you, Roger!
> > >
> > > Everything's just about where you said it would be, and in the process
> >I've
> > > found a bunch of the nasty scripts that are responsible for this mess.
> One
> > > glitch so far...
> > >
> > > Any idea what the checksum's SUPPOSED to be on ifconfig? chkrootkit is
> > > telling me it's infected, but I have no idea what it should be/where I
> > > might get a copy that will work on the RAQ3...
> > >
> > > I... am... so... tired...
> > >
> > >
> > >
> > >
> > > At 12:05 PM 2/27/2001 +1100, you wrote:
> > > >A search of the archives (or a direct look at
> > > >http://list.cobalt.com/pipermail/cobalt-users/2001-February/) should
> >provide
> > > >most of the answers.
> > > >
> > > >In short, the following will have to be done.
> > > >
> > > >Restore /etc/inetd.conf. This will probably involve removing the last
> two
> >or
> > > >three lines of the file. Any reference to /bin/sh or in.smdb etc
should
> >be
> > > >removed.
> > > >
> > > >You'll want to grab the nettools RPM from ftp.cobaltnet.com
> > > >Full address is:
> > >
> >
>
>ftp://anonymous@xxxxxxxxxxxxxxxxx/pub/products/raq3/RPMS/net-tools-1.52-2.i
> >3
> > > >86.rpm
> > > >
> > > >You should also grab the unhack.pl script that someone made up to
> replace
> > > >the compromised binaries (should be able to find address from
> archives).
> > > >
> > > >Also grab chkrootkit from www.chkrootkit.org and see what it finds.
> > > >
> > > >Ohh yeah, and remove /usr/sbin/init if it exists.
> > > >
> > > >You will probably also find the fake SSH running as nscd
> (/usr/sbin/nscd
> >or
> > > >similar).
> > > >
> > > >Of course, make sure that before you remove anything like the SSH
> server,
> > > >that you have another way of accessing a shell on the system!
> > > >
> > > >Cheers...
> > > >Roger
> > > >
> > > >----- Original Message -----
> > > >From: "Mike Fahy" <xtraprss@xxxxxxxxxxxxx>
> > > >To: <cobalt-users@xxxxxxxxxxxxxxx>
> > > >Sent: Thursday, April 05, 2001 8:53 AM
> > > >Subject: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some
> problems...
> > > >
> > > >
> > > > >
> > > > > You don't know HOW happy I am to hear that.  I'll pay the fortune
> and
> >wait
> > > > > the days to scrape the box IF I HAVE TO, but if there's any chance
> to
> > > >avoid
> > > > > this, I'd like to try first. You're right -- I'm nowhere near my
> >hacked
> > > >box
> > > > > (dedicated server), and with a jillion clients' counting on it to
be
> >there
> > > > > 24/7, I'd like to keep downtime to a minimum.
> > > > >
> > > > > Reading through the t0rn literature, I'm convinced it's what I've
> got.
> > > > > Scanning the box from a remote location shows port 33568 returning
a
> > > > > SSH-1.5-1.2.27 message)
> > > > >
> > > > > Any ideas what steps I should take? I'm all ears now.
> (Unfortunately,
> >so
> > > >is
> > > > > my machine...)
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > At 09:23 AM 2/27/2001 +1100, you wrote:
> > > > > >I don't necessarily agree that the *only* remedy is to use the
> >restore
> > > >CD.
> > > > > >Many people on this list seem to share your view, and if you have
> the
> >RAQ
> > > > > >unit sitting in front of you, all is well and good. However if
you
> > > >co-locate
> > > > > >the Raq, and don't have physical access to it, things are a
little
> > > >harder.
> > > > > >Firstly, the downtime while you have someone restore the system
is
> >not
> > > >good.
> > > > > >Secondly the cost is somewhat prohibitive in some cases. Thirdly
> the
> >time
> > > > > >and effort in restoring all sites is quite significant (esp
> >considering
> > > >CMU
> > > > > >etc doesn't do a complete job). Many people have sucessfully
> cleaned
> > > >their
> > > > > >machines after being hacked, so I think it unwise to say the only
> >remedy
> > > >is
> > > > > >to use the restore CD. Furthermore, when you know what rootkit
has
> >been
> > > >used
> > > > > >on your machine, you can usually find out exactly what has been
> >affected
> > > >and
> > > > > >replace the necessary files. I have cleaned several machines of
the
> >t0rn
> > > > > >rootkit, and haven't had any problems since, so I think it's
> >definately
> > > > > >worth a try.
> > > > > >
> > > > > >Cheers...
> > > > > >Roger
> > > > > >
> > > > > >----- Original Message -----
> > > > > >From: "cowbridge" <cobalt@xxxxxxxxxxxxx>
> > > > > >To: <cobalt-users@xxxxxxxxxxxxxxx>
> > > > > >Sent: Tuesday, February 27, 2001 9:08 AM
> > > > > >Subject: RE: [cobalt-users] "Sort of" hacked?? Raq3 with some
> >problems...
> > > > > >
> > > > > >
> > > > > > > > Ok, checking my files against those found in other posts,
I've
> > > > > >discovered
> > > > > > > > that while my login, ls, netstat,  ps, du and find commands
> seem
> > > > > > > > to be "new
> > > > > > > > and unproved," others appear untainted (checked via Md5
> >checksums)
> > > > > > > >
> > > > > > > > I also don't seem to have all the xlogin, ld.so.hash,
crth.o,
> >etc
> > > >files,
> > > > > > > > BUT I have come across the directory (empty):
> > > > > > > >
> > > > > > > > usr/src/.puta
> > > > > > > >
> > > > > > > > This was mentioned by Rik Thomas in an earlier message
(2/9).
> >What
> > > >else
> > > > > > > > should I be looking for?
> > > > > > > >
> > > > > > > > Should I replace my tainted files with those found in the
> > > >unhack.tar.gz
> > > > > > > > mentioned here earlier, or....?
> > > > > > >
> > > > > > > I'm afraid this is not sort of hacked, but definitley hacked.
> You
> >have
> > > >the
> > > > > > > t0rn rootkit.
> > > > > > >
> > > > > > > See http://www.sans.org/y2k/t0rn.htm for details.
> > > > > > >
> > > > > > > The only remedy is to use the Restore CD, I'm afraid.
> > > > > > >
> > > > > > > Good luck,
> > > > > > >
> > > > > > > Roger
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > cobalt-users mailing list
> > > > > > > cobalt-users@xxxxxxxxxxxxxxx
> > > > > > > To Subscribe or Unsubscribe, please go to:
> > > > > > > http://list.cobalt.com/mailman/listinfo/cobalt-users
> > > > > > >
> > > > > >
> > > > > >_______________________________________________
> > > > > >cobalt-users mailing list
> > > > > >cobalt-users@xxxxxxxxxxxxxxx
> > > > > >To Subscribe or Unsubscribe, please go to:
> > > > > >http://list.cobalt.com/mailman/listinfo/cobalt-users
> > > > >
> > > > > _______________________________________________
> > > > > cobalt-users mailing list
> > > > > cobalt-users@xxxxxxxxxxxxxxx
> > > > > To Subscribe or Unsubscribe, please go to:
> > > > > http://list.cobalt.com/mailman/listinfo/cobalt-users
> > > > >
> > > >
> > > >_______________________________________________
> > > >cobalt-users mailing list
> > > >cobalt-users@xxxxxxxxxxxxxxx
> > > >To Subscribe or Unsubscribe, please go to:
> > > >http://list.cobalt.com/mailman/listinfo/cobalt-users
> > >
> > > _______________________________________________
> > > cobalt-users mailing list
> > > cobalt-users@xxxxxxxxxxxxxxx
> > > To Subscribe or Unsubscribe, please go to:
> > > http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
> >_______________________________________________
> >cobalt-users mailing list
> >cobalt-users@xxxxxxxxxxxxxxx
> >To Subscribe or Unsubscribe, please go to:
> >http://list.cobalt.com/mailman/listinfo/cobalt-users
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
References:
- RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
  - From: Brian Watters
Prev by Date: [cobalt-users] config error: mail loops back to me (MX problem?)
Next by Date: RE: [cobalt-users] Cobalt to provide compensation for server hack?
Previous by thread: RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
Next by thread: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index