[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] HaQ'd? Or not? Lion tracks...

Subject: RE: [cobalt-users] HaQ'd? Or not? Lion tracks...
From: "Kennedy, Robert" <RKennedy@xxxxxxxxx>
Date: Wed Apr 4 23:03:11 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Here's a couple checks we've been doing.. some infected boxes have some of
these characteristics, some have none.. heh.  But here's some stuff we've
found..

- root's crontab has a line to run /usr/sbin/init every 5 minutes
- there is a /usr/sbin/init file (normally isn't)
- Do a search for files owned by group 'wheel' (infected files if got in via
named)
- /usr/bin/xcat (old /bin/login)
- /bin/login is chattr +i'd (use lsattr to list attributes)
- file called /etc/named/a that is a little script
- turn off named, and run: netstat -tan |grep LISTEN .. if you see port 53
still open, it's bad.. heh..
- There's more stuff.. i'll post as i remember :)

Rob

Rob Kennedy
ASPRE, Inc.
rkennedy@xxxxxxxxx
http://www.aspre.net/

Managed e-Business that works
---------------------------------
the first exclusive e-Business Application Service Provider (ASP)

t. 215.957.2266 Ext. 2145
f. 215.957.2277

113 Rock Road
Horsham, PA 19044




-----Original Message-----
From: Jay Jennings [mailto:jennings@xxxxxxxxxx]
Sent: Thursday, April 05, 2001 4:41 AM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] HaQ'd? Or not? Lion tracks...


> Does your machine handle mail for any other domain? It may have gotten
> forwarded....Data Format Error happens with some spam tricks too, so it
> may well be forged...

Yes, I have a couple dozen domains on the server.

> try chkrootkit too , just in case it's one thing pretending to be another

I ran chkroot and it didn't find anything.

> try to telnet to port 53 on your machine and see if it connects....

As I headed for telnet to give that a shot, a little tiny voice in the back
of my head said, "Should you do that if you're running Portsentry?"
Unfortunately, that little tiny voice just wasn't assertive enough -- and I
locked myself out of my own server. Doh! But I reset my DSL connection to
get a new IP and got back in.

So, the answer to the question is no, I can't connect to port 53 via telnet.
(I took that as a sign and turned off telnet and am using SSH now.)

Anything else I should check that will tell me if I'm hacked? Or do I just
wait and see? :(

Thanks.

 ..jj..

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

Follow-Ups:
- RE: [cobalt-users] HaQ'd? Or not? Lion tracks...
  - From: Jay Jennings

Prev by Date: RE: [cobalt-users] RAQ's for sale
Next by Date: Re: [cobalt-users] RE: RE: how to attach the signature for all outgoing mail
Previous by thread: Re: [cobalt-users] HaQ'd? Or not? Lion tracks...
Next by thread: RE: [cobalt-users] HaQ'd? Or not? Lion tracks...

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index