Re: [cobalt-users] Hacked ??

["Kevin D" <kdlists@xxxxxxxxxxxxxxx>]

From: "Joe Lange" <jlange@xxxxxxxxxxx>

> Logging into my RAQ it looks like someone is using it for scanning but I
> cannot find the process I have limited access to our network via tcp wrap
> but it appears someone is still using the box ...This is a production DNS
> server so taking it offline is
> not a very good option if it can be avoided can somone offer some advice
on
> haw to stop the attack ????

Joe,

Go to redhat.com and get rpms for ps, netstat, ls, kill, su and anything
else you might use at the command line. Install them fresh into your machine
to ensure that you're not using trojaned/hacked versions. Use netstat -p to
find the programs making those connections, then ps ax to find pids. Kill
the pids (kill -s SIGSTOP if you want to study them before sending SIGTERM).

Alas, even with a helluva lotta effort, it won't be easy to track down all
the back doors that may have been left on the system. Once you've restored
your crucial binaries (ps, netstat, ls, etc), search your process list for
odd entries. Also, this is a big one, look for files created / modified
within the last few days / weeks (depending on when the hack occurred). Use
the find command for that (oh yeah, reload that from an rpm too). Also,
check for suid root files.

Do all this ASAP, as the longer you wait the harder it will be to find this
stuff (because the more files will be modified by users/system processes).
With that in mind, you may want to restore those basic binary tools
(netstat, ls, ps) into an isolated folder to cause as little disturbance to
the existing system as possible. By preserving evidence you can help trace
the hack.

The absolute best thing to do would be a complete restore, as it is the only
way to absolutely ensure no back doors. This is why you should have a
secondary DNS server.

Kevin