[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Re: Hacked? Telnet gone, SSH gone, strange ports open

Subject: [cobalt-users] Re: Hacked? Telnet gone, SSH gone, strange ports open
From: "Juan Carlos Murillo" <murillo@xxxxxxxxxxxxxxxxx>
Date: Fri May 25 00:59:50 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

>Consider your machine owned. (How do they spell that? 0wn3d?) Haqd, as
>I put it.
>Backup your sites, wipe the drive/restore... all that sad jazz.
>My condolences.
>CarrieB

Sorry, if I posted a repeat but I wasn't getting confirmation from the list.

Thanks for that idea but I'd really really hate to restore, the current
setup is a bit complicated and replicating it is not easy or quick.

Well, just for those in this scenario, the OpenSSH2.9 on the EMEA website
http://pkg.nl.cobalt.com/ did install over my older clammed up SSH which
wasn't letting me in.  So I got back into the machine, things are starting
to look better.

First measures close all ports I don't use or know what they are.
 netstat -a  gave me some ports on 667 and 7000 someting, I understand those
are arkeia and legato ports, those are shut.  I shut the stupid 514 remote
shell port which I hope was the only door for the hacker.

I've only pop3, ftp, ssh and www open, plus that 444 which i've read
corresponds to the secure GUI administration.  Is this port 444 open on all
raQ3's by default? I know our other RaQ2 don't show it.  It wouldn't shut
down from inetd.conf, and I really have no idea how to shut it as i don't
know what services listens on it.

Next step, am installing ipchains, tripwire, chkrootkit, findlion the works
as per a nifty post to this list found here:

http://list.cobalt.com/pipermail/cobalt-users/2001-April/042023.html

Following that I will need to replace su, ls, and some other utilities used
to hide crackers.  If anyone has done this before and knows the location of
pkgs or rpms or sources the url would be greatly appreciated.

Finally I am concerned about proftpd and qpopper.  I will do further
research on these before I ask questions. But my guess is they need
replacement.

I am also getting vulnerabilities on bind, which is updated to 8.2.3 but is
still giving vulnerabilties from the older bind.  Should I go for broke and
install 9?

One final question, what are the default permissions for the log files on
var, I have some strange reading on those too.

If any of you can give me a hand with some of these question it will be
greatly appreciated.

Follow-Ups:
- Re: [cobalt-users] Re: Hacked? Telnet gone, SSH gone, strange ports open
  - From: Carrie Bartkowiak

Prev by Date: Re: [cobalt-users] Determining the packages installed?
Next by Date: [cobalt-users] the vietmedia dude
Previous by thread: RE: [cobalt-users] OS Versions
Next by thread: Re: [cobalt-users] Re: Hacked? Telnet gone, SSH gone, strange ports open

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index