[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] 1ion crew hacks

Subject: [cobalt-users] 1ion crew hacks
From: Jim Hunter <jshunter@xxxxxxxxxxxxxxx>
Date: Wed Apr 4 12:46:32 2001
Organization: Net+Effects
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

This is a group out of Taiwan that has previously hacked servers in
Japan.

We were hacked by them about a week ago. They apparently have hacked
quite a few RAQs in the past week as the mailing list has had several
postings.

The exploit used by them is in bind 8.X, the solution is for Cobalt to
issue a patch upgrading the bind software, to bind 9.

Recovery is simple but painful:

1. Get a Cobalt OS Restore CD-ROM

2. Restore your system as the booklet with the CD instructs

3. Your now back up with a bare system, apply all relevant Cobalt
patches

4. If you have a backup, from before you were hacked, restore your files
for users and sites

5. Re-install any custom software you might have been running.  In our
case that was Arkeia backup and Cistron Radius.

6. If you turn on your DNS you may be hacked again by them, we did
determine the origin was an ISP china.com.  I sent email to them about
the hack including the email they sent to root on our system. Since we
have to run DNS we're hoping Cobalt will do something quickly.

As a possible fall back we may try to block only the china.com IP range:

; <<>> DiG 8.1 <<>> @web china.com
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;;      china.com, type = A, class = IN

;; ANSWER SECTION:
china.com.              1H IN A         202.84.13.20

;; AUTHORITY SECTION:
china.com.              1H IN NS        ns1.china.com.
china.com.              1H IN NS        ns2.china.com.

;; ADDITIONAL SECTION:
ns1.china.com.          1H IN A         202.106.186.26
ns2.china.com.          1H IN A         202.84.1.101

;; Total query time: 169 msec
;; FROM: web to SERVER: web  207.126.100.129
;; WHEN: Wed Apr  4 19:51:51 2001
;; MSG SIZE  sent: 27  rcvd: 111


If we have to we'll try blocking the following, a major chunk of IP#s:

202.106.0.0
202.84.0.0

We have to asume that they'll be back as they may have accounts with
other ISPs.

Follow-Ups:
- RE: [cobalt-users] 1ion crew hacks
  - From: JK

Prev by Date: Re: [cobalt-users] [raq3] forward /var/spool/mail/.forward: World writable directory - Help!
Next by Date: Re: [cobalt-users] Re: Upgrading from MySQL 3.22.32 - Need help
Previous by thread: RE: [cobalt-users] [raq3] forward /var/spool/mail/.forward: World writable directory - Help!
Next by thread: RE: [cobalt-users] 1ion crew hacks

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index