[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] My Raq3 was hacked please help

Subject: Re: [cobalt-users] My Raq3 was hacked please help
From: Hendrik Runte <cobalt@xxxxxxxxxx>
Date: Sun Apr 1 16:24:06 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> Hi, please check at 24.142.133.242  it seems my cobalt was hacked , It
> appears a  homepage called "kill all the japanese" and the body you can see
> " 1i0n Crew Powered by  c00l ====== H.U.C =====1i0n"  Please somebody can
> help me to recover my cobalt, I cant't enter on the server managment web
> interfase.
> 
> This is not a joke, i really need help step by step to recover it
> 
> Any comment or suggestion i will appreciate ASAP
> 
> 
> 
> David Rojas V, Ing.
> Gerente de Producto
> Advicom.- Audio, Video y Comunicaciones Cia. Ltda
> Broadcast Technology & Telecommunication Engineering
> 
> Contacts:
> 
> E-mail:    drojas@xxxxxxxxxxxxxx
> Internet:  http://www.advicom-ec.com
> 
> Quito:     Telefax (593-2)432911
>   Cdla. La Granja Psje. Oe5D N31-51 y San Gabriel
> 
> Guayaquil: (593-4)834940 - 834939  /  Beeper: (593-4)534444 pin 7277
>          Urb. Las Riberas, Mz. K villa 4, via Puntilla - Samborondon
>          Casilla: 09-01-7606
> 
>          Ecuador, South America
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
> 

Hi David,

please go to http://www.sans.org/y2k/lion.htm

and follow the instructions for downloading and installing lionfind. I'm
quite sure you'll get a 'positive' result.

If so, this might help:
(quotation from Jim Hunter's mail, 03/30/2001)

> This is preliminary information on an apparently new exploit of bind.
> The configuration hacked was a RAQ3i running the latest version of the
> OS and all released updates:  We are running a primary DNS server on the
> RAQ3i. The hacker sent email to root describing the process followed:
> 
> ----- Original Message -----
> From: <huckit@xxxxxxxxx>
> To: <root@xxxxxxxxxxxxxxxxxx>
> Sent: Thursday, March 29, 2001 11:57 PM
> Subject: I am so sorry!Your hosts was hacked!
> 
> 
>> Hello!Administrator:
>> I am sorry.
>> Your DNS server was hacked by my New variation of the ramen worm.
>> I am bestrow your index.html files only for awoke you path the DNS
> server.
>> Please change your password and path the DNS server to version 9.
>> And some backdoor in your system.
>> Do this follow me.:)
>> 1.
>> kill the process of star.sh hack.sh scan.sh pscan ETC.
>> 2.
>> remove the /tmp/ramen.tgz
>> 3.
>> find the "/dev/.lib/star.sh" in the /etc/rc.d/rc.sysinit file and
> remove
> it.
>> 4.
>> find the "asp stream tcp nowait root /sbin/asp " in the
> /etc/inetd.conf
> file and remove it.
>> 5.
>> find the "10008 stream tcp nowait root /bin/sh sh" in the
> /etc/inetd.conf
> file and remove it.
>> 6.
>> del the /dev/.lib
>> 
>> ok.
>> Now,You removed the 1i0n worm.
>> Don't forget to restar yous server.
>> :)
>> 
>> GoodLuck!
>> 
>> Lion
>> ************************************
>> *î?ÂÍÆ?ö¡°Ö?»ªµØÍ?¡±
>> http://map.china.com
>> 
> 
> The RAQ3i is on the DMZ of a Sonicwall Pro.  The folowing is a portion
> of the SonicWall logs showing the attempts:
> 
> 03/29/2001 11:25:45.448 The cache is full; too many open connections;
> some
> will be dropped 64.170.8.10, 1420, DMZ 157.40.0.72, 53, WAN
> 03/29/2001 11:30:28.480 The cache is full; too many open connections;
> some
> will be dropped 64.170.8.10, 2190, DMZ 165.19.24.61, 53, WAN
> 03/29/2001 11:32:26.512 The cache is full; too many open connections;
> some
> will be dropped 64.170.8.10, 2763, DMZ 193.35.0.74, 53, WAN
> 03/29/2001 11:37:13.496 The cache is full; too many open connections;
> some
> will be dropped 64.170.8.10, 3898, DMZ 189.66.24.156, 53, WAN
> 03/29/2001 11:39:11.800 The cache is full; too many open connections;
> some
> will be dropped 64.170.8.10, 4329, DMZ 148.72.0.80, 53, WAN
> 03/29/2001 11:43:55.512 The cache is full; too many open connections;
> some
> will be dropped 64.170.8.10, 1478, DMZ 40.49.24.139, 53, WAN
> 03/29/2001 11:44:28.512 Failed to resolve name 0.0.0.0 0.0.0.0
> pop.net.effects.com
> 
> ====================================
> To recover we forced a re-boot by a graceful power down, our UPS is
> remotely controlled, and restored the system from our tape backup.
> As we gather further info we will post it. We also took the temporary
> measure of closing more of the access through the firewall, until a
> patch is released.
> 
> 
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
> 

Good luck!

Hendrik.

References:
- [cobalt-users] My Raq3 was hacked please help
  - From: David Rojas, Ing.

Prev by Date: [cobalt-users] SSL Certificates... (RAQ 4)
Next by Date: [cobalt-users] Enabling Java on RaQ4
Previous by thread: Re: [cobalt-users] My Raq3 was hacked please help
Next by thread: [cobalt-users] Cobalt RAQ 4R Used - Sale

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index