[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Hacked Raq3
- Subject: RE: [cobalt-users] Hacked Raq3
- From: "Benjamin Charles Tehan" <sysadmin@xxxxxxxxxxxx>
- Date: Mon Apr 2 16:30:01 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
You where most likly hacked via a bind 8.2.2 exploit.
If the people who hacked your server are 1i0n crew H.U.C they are from the
Taiwan university nctu.edu.tw, they
primarily attack Japanese servers/sites.
Most likely the t0rntd root kit will be installed on your system and also
synscan which would be scanning other systems for a bind version.. looking
for other servers to compromise.
Your server would have also been used for DoS attacks on other servers.
You would also have the following compromised
/usr/sbin/t0rntd <-- in /etc/rc.d/rc.local, t0rntd root exploit
/dev/.lib/star.sh <-- in /etc/rc.d/rc.sysinit
/etc/inetd.conf <-- opened ports
/usr/sbin/nscd -q <-- in /etc/rc.d/rc.sysinit
/bin/login
/bin/ps
/bin/netstat
/bin/ls
/usr/bin/finger
/bin/mail
/etc/ttyhash
/usr/sbin/nscd
/usr/bin/find
/usr/bin/top
/usr/sbin/in.fingerd
/sbin/ifconfig
passwd
shadow
Your init scripts would also be deleted and compromized.
Email nctu.edu.tw, they need to be stopped.
You need to make a fresh installation, unless you can install sshd over the
cobalt pkg you wont be able to gain access to the system, login has been
compromized.
Regards,
Benjamin Charles Tehan
DevForge Development Network
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Mark Brown
Sent: Tuesday, April 03, 2001 11:44 AM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: [cobalt-users] Hacked Raq3
Hello all,
I have a Raq 3 which was recently hacked by someone in China. Basically they
went in and replaced all of my index.html files with their own. I know I
should do a complete rebuild of the server and plan to this weekend but for
now I have uploaded all of my sites again. The only problem is that this
hack also effected and replaced the main admin html for the GUI. Is their
anyone who can tell me:
A. WHere I can get a copy of the default html fiile for the admin sections
on the gui.
B. Whwere this file would go on the system.
Thanks
Mark