[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Hacked?

Subject: Re: [cobalt-users] Hacked?
From: "Noodles" <uglytw@xxxxxxxxxxx>
Date: Tue May 29 09:19:35 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

And go with Carries' tips. Maybe even secure ftp too.
Stay Happy
Noodles
----- Original Message ----- 
From: "Carrie Bartkowiak" <ravencarrie@xxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Tuesday, May 29, 2001 8:33 PM
Subject: Re: [cobalt-users] Hacked?


> > How can I find out for sure if our RAQ3 has been hacked into? We are
> getting
> > reports that our machine is portscanning large numbers of IP
> addresses. The
> > reports back to us all show the scans coming from the IP address of
> our RAQ3
> > server. Is there something I can do to find this hack? Or where
> should I
> > look.
> 
> Well based on this, I'd say you're either definitely hacked, or one of
> your users with a shell account is in there doing some dirty work.
> Do a search through the archives for li0nfind; download that and run
> it, go to chkrootkit.org and download that and run it.
> Check your /root/.bash_history and see if there's anything in there
> that you didn't do, and that whomever it was forgot to erase (they
> normally don't forget, though).
> Do a 'last' to see who's been logging in.
> Run a 'netstat' to see what connections are going on. There are all
> sorts of options you can use with netstat, 'man netstat' or
> 'netstat --help' to see what they are.
> Run a 'top' but don't trust it, it's probably been fixed to not show
> you everything.
> Run a 'ps -aux' but don't trust it, same thing.
> Check your /etc/inetd.conf to see if anything's been added in there.
> Check your /etc/rc.d/rc.local to see if anything's been added in
> there.
> There's tons more you can do. Look in the archives for 'hacked' and
> 'how can I tell if I've been hacked' and any other thing like that you
> can think of.
> 
> Mainly, if you've got proof that the server is running portscans, TAKE
> IT OFFLINE... before it opens someone else's machine up and exploits
> them.
> Most likely you're going to just have to wipe and restore; *thinking*
> that you have found all of the hacker's footprints and cleaned them up
> isn't good enough.
> 
> Before you put that machine back online get some security measures on
> it, if you don't have them already (logcheck, portsentry, ipchains).
> If you do a restore, install all of the patches and make all of your
> personal tweaks and then install and run Tripwire *before* it goes
> back online. Back up the tripwire database to your own machine, cd,
> etc.
> 
> If you've got any users with shell accounts, disable them and don't
> give them back. Use SSH2 rather than telnet. Disable telnet.
> Umm... may the force be with you?  :)
> 
> CarrieB
> 
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>

References:
- [cobalt-users] Hacked?
  - From: William Plunkett
- Re: [cobalt-users] Hacked?
  - From: Carrie Bartkowiak

Prev by Date: Re: [cobalt-users] Macintosh IE and Netscape cannot access Qube3 admin pages...
Next by Date: Re: [cobalt-users] [RaQ 4] Some (easy?) questions from a newbie
Previous by thread: Re: [cobalt-users] Hacked?
Next by thread: Re: [cobalt-users] Hacked?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index