[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Hacked?

Subject: Re: [cobalt-users] Hacked?
From: "Carrie Bartkowiak" <ravencarrie@xxxxxxxx>
Date: Tue May 29 08:15:17 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> How can I find out for sure if our RAQ3 has been hacked into? We are
getting
> reports that our machine is portscanning large numbers of IP
addresses. The
> reports back to us all show the scans coming from the IP address of
our RAQ3
> server. Is there something I can do to find this hack? Or where
should I
> look.

Well based on this, I'd say you're either definitely hacked, or one of
your users with a shell account is in there doing some dirty work.
Do a search through the archives for li0nfind; download that and run
it, go to chkrootkit.org and download that and run it.
Check your /root/.bash_history and see if there's anything in there
that you didn't do, and that whomever it was forgot to erase (they
normally don't forget, though).
Do a 'last' to see who's been logging in.
Run a 'netstat' to see what connections are going on. There are all
sorts of options you can use with netstat, 'man netstat' or
'netstat --help' to see what they are.
Run a 'top' but don't trust it, it's probably been fixed to not show
you everything.
Run a 'ps -aux' but don't trust it, same thing.
Check your /etc/inetd.conf to see if anything's been added in there.
Check your /etc/rc.d/rc.local to see if anything's been added in
there.
There's tons more you can do. Look in the archives for 'hacked' and
'how can I tell if I've been hacked' and any other thing like that you
can think of.

Mainly, if you've got proof that the server is running portscans, TAKE
IT OFFLINE... before it opens someone else's machine up and exploits
them.
Most likely you're going to just have to wipe and restore; *thinking*
that you have found all of the hacker's footprints and cleaned them up
isn't good enough.

Before you put that machine back online get some security measures on
it, if you don't have them already (logcheck, portsentry, ipchains).
If you do a restore, install all of the patches and make all of your
personal tweaks and then install and run Tripwire *before* it goes
back online. Back up the tripwire database to your own machine, cd,
etc.

If you've got any users with shell accounts, disable them and don't
give them back. Use SSH2 rather than telnet. Disable telnet.
Umm... may the force be with you?  :)

CarrieB

Follow-Ups:
- Re: [cobalt-users] Hacked?
  - From: Noodles

References:
- [cobalt-users] Hacked?
  - From: William Plunkett

Prev by Date: Re: [cobalt-users] .htaccess file Overrides --> Apache Server Errors
Next by Date: Re: [cobalt-users] Web interface for POP3
Previous by thread: [cobalt-users] Hacked?
Next by thread: Re: [cobalt-users] Hacked?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index