[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] 1ion crew hacks

Subject: RE: [cobalt-users] 1ion crew hacks
From: "JK" <thejk@xxxxxxxx>
Date: Wed Apr 4 13:31:32 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Thanks for your info. However, my understanding was that 8.23-REL BIND
is not vulnerable to this hack. What version of BIND were you running
at the time you got hacked? When did you apply the latest BIND patch
from Cobalt? Perhaps, they got in and installed a backdoor before you
applied the patch?


>-----Original Message-----
>From: cobalt-users-admin@xxxxxxxxxxxxxxx
>[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Jim Hunter
>Sent: Wednesday, April 04, 2001 8:10 PM
>To: cobalt-users@xxxxxxxxxxxxxxx
>Subject: [cobalt-users] 1ion crew hacks
>
>
>
>This is a group out of Taiwan that has previously hacked servers in
>Japan.
>
>We were hacked by them about a week ago. They apparently have hacked
>quite a few RAQs in the past week as the mailing list has had several
>postings.
>
>The exploit used by them is in bind 8.X, the solution is for
>Cobalt to
>issue a patch upgrading the bind software, to bind 9.
>
>Recovery is simple but painful:
>
>1. Get a Cobalt OS Restore CD-ROM
>
>2. Restore your system as the booklet with the CD instructs
>
>3. Your now back up with a bare system, apply all relevant Cobalt
>patches
>
>4. If you have a backup, from before you were hacked,
>restore your files
>for users and sites
>
>5. Re-install any custom software you might have been
>running.  In our
>case that was Arkeia backup and Cistron Radius.
>
>6. If you turn on your DNS you may be hacked again by them, we did
>determine the origin was an ISP china.com.  I sent email to
>them about
>the hack including the email they sent to root on our
>system. Since we
>have to run DNS we're hoping Cobalt will do something quickly.
>
>As a possible fall back we may try to block only the
>china.com IP range:
>
>; <<>> DiG 8.1 <<>> @web china.com
>; (1 server found)
>;; res options: init recurs defnam dnsrch
>;; got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2,
>ADDITIONAL: 2
>;; QUERY SECTION:
>;;      china.com, type = A, class = IN
>
>;; ANSWER SECTION:
>china.com.              1H IN A         202.84.13.20
>
>;; AUTHORITY SECTION:
>china.com.              1H IN NS        ns1.china.com.
>china.com.              1H IN NS        ns2.china.com.
>
>;; ADDITIONAL SECTION:
>ns1.china.com.          1H IN A         202.106.186.26
>ns2.china.com.          1H IN A         202.84.1.101
>
>;; Total query time: 169 msec
>;; FROM: web to SERVER: web  207.126.100.129
>;; WHEN: Wed Apr  4 19:51:51 2001
>;; MSG SIZE  sent: 27  rcvd: 111
>
>
>If we have to we'll try blocking the following, a major
>chunk of IP#s:
>
>202.106.0.0
>202.84.0.0
>
>We have to asume that they'll be back as they may have accounts with
>other ISPs.
>

References:
- [cobalt-users] 1ion crew hacks
  - From: Jim Hunter

Prev by Date: RE: [cobalt-users] lame server?
Next by Date: Re: [cobalt-users] Macintosh, AppleShare IP Users
Previous by thread: [cobalt-users] 1ion crew hacks
Next by thread: [cobalt-users] how to attach the signature for all outgoing mail

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index