[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Hacked?

Subject: Re: [cobalt-users] Hacked?
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Tue May 29 05:31:59 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

"William Plunkett" <wjptcs@xxxxxxxxxxxxx> wrote:
> How can I find out for sure if our RAQ3 has been hacked into?

I'd say that reports that it's port scanning are pretty much proof positive
unless you or another user with shell access is doing it.  With hackers
getting increasingly more sophisticated every day, it's difficult to
definitively diagnose that you've been hacked, track down the rogue programs
and remove/replace them and determine what security exploit was used to gain
access.

> We are getting
> reports that our machine is portscanning large numbers of IP addresses.
The
> reports back to us all show the scans coming from the IP address of our
RAQ3
> server. Is there something I can do to find this hack? Or where should I
> look.

You can pay a professional security expert to look, but unless it happens to
be a pretty simple, easy to locate rootkit and the hacker didn't cover her
tracks it could take hours for a security expert to locate and expect to pay
a pretty penny.  More and more hackers are using loadable kernel modules
that are nearly impossible to find (they are essentially invisible), are
very good at covering their tracks...and it's probably more economically
feasible to simply reinstall the OS, all of your software and reload your
sites/users/databases/config files from a clean off-server backup.  I'm not
trying to scare you as much as I'm trying to suggest what I would do if I
were in your shoes.  One of the hats I wear is that of a linux server admin
and administering servers is a service I do professionally and I would even
do what I suggest.  I can find rootkits and detect security violations and
altered log files, etc. some of the time, but if I really wanted to feel
safe if I'd been hacked I'd either wipe everything and reinstall or pay a
security expert look to her job.  I had an online article written by a
system admin at Virginia Tech that described the steps taken to discover,
diagnose, track, and clean a system that had been hacked with a
sophisticated rootkit, but I can't find the file I had it saved in or the
URL using google.com.  If I find it I'll post it.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

References:
- [cobalt-users] Hacked?
  - From: William Plunkett

Prev by Date: Re: [cobalt-users] Offtopic but of public interest
Next by Date: Re: [cobalt-users] [RaQ 4] Some (easy?) questions from a newbie
Previous by thread: Re: [cobalt-users] Hacked?
Next by thread: Re: [cobalt-users] Hacked?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index