[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Telnet and FTP not working

Subject: Re: [cobalt-users] Telnet and FTP not working
From: Götz Lohmann <goetz.lohmann@xxxxxx>
Date: Sat May 19 02:21:10 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

"Colin J. Raven" wrote:

> > > Hi List,
> > >
> > > Both Telnet and FTP suddenly stopped working on my RAQ3.
> > > The web server is running fine but there is no way to login.
> > >
> > > Any ideas on how to recover the system are appreciated.
> > >
>
> > If you just want to get them working again, you might try disabling
> > (save changes)and then re-enabling them (save changes) via the
> > Admin GUI/control panel. If that doesn't work you could also install
> > an SSH package (http://pkg.nl.cobalt.com) to gain access again.
> >
> Think "hacked" before all else.
> In any event, a serial connection sounds like the only entry point
> that's feasible.
> I've never seen a RAQ3....but I *assume* the thing has a serial port.
> >From a console session you can do more than with the GUI.
> jm2¢w
> -Colin

Hacked ! ... check your ports ... you might find several open ports of
trojans
and a enable/disable of telnet might not work, cause the hacker prevent
you from
changing this anymore ...

try the SSH package ... but be aware if you use "ps -ax" you might find
still all ok ...
cause this is also often hacken to fake you ... so take a lokk with locate
to find a
backup of several files like ps ... run the backup ps or make a rpm update
of ps
... checkout all running processes ... you have to be quick ... cause a
good hacker
will know that you wish to get him going and will kick you off ... so kick
off all
other demons except your session ! ... search for the trojans ...
eleminating them
... its a huge dirty job, and you have to find all trojans ... if one left
... you
left the hacker an access to your domain ... be aware that he might cover
his tracks
under a httpd port that you couldn't see the trojan cause the port 80 is
your
default web-port ... maybe try to update all files with recent RPMs to
overwrite
the hacked ones ...

after all ... very often the hacker got in your box by a ftp or bin
exploit ... checkout
updates ... and which I could find at cobalt:
!!! let named run under named !!! like named -u named ... so if a hacker
try to use
a bind exploit that he didn't get root and instead named ... ist not much,
but better
as left him a root !!!

... if the ssh fails ... tell your server being reboot and cleaning the
root passwort ...
... mybe the last word is the OS CD !

Götz Lohmann

PS: realy wonder how often it is read at the board that a RaQ3 is hacked!

References:
- RE: [cobalt-users] Telnet and FTP not working
  - From: Colin J. Raven

Prev by Date: Re: [cobalt-users] update PHP 4.0.5
Next by Date: Re: [cobalt-users] Cobalt Quick Info!
Previous by thread: RE: [cobalt-users] Telnet and FTP not working
Next by thread: [cobalt-users] Telnet and FTP not working

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index