RE: [cobalt-users] [RaQ XTR] root pwd stolen, web services down,lost control over machine

["Michiel" <michiel@xxxxxxxxx>]

It is the best to use the restore cd to reinstall your system. (You
never know what is alterd)
Then recreate the site from backup.

Keep in mind that the .raq files won't work correct. Maybe you can tar
every site? 

Make backups it is a must!!!!!

Anyway your in deep shit.


-----Oorspronkelijk bericht-----
Van: Etienne Antoniutti Di Muro [mailto:etienne@xxxxxxxxxxxxx]
Verzonden: vrijdag 15 juni 2001 11:25
Aan: cobalt-users@xxxxxxxxxxxxxxx
Onderwerp: [cobalt-users] [RaQ XTR] root pwd stolen, web services
down,lost control over machine


Dear list members,
this is my first message posted, so Hi everybody !!
As my experience with the XTR will increase, I hope to be of help, as
well.


Someone hacked my Raq XTR.

Results:
1- root pwd stolen, I have no more control over the appliance;
2- can't change any pwd with 'passwd' in a telnet session, even admin's
after a regular login!!!; (maybe password and shadow files corrupted
???)
3- web server is not working ==>> no more browser interface to set up
services;
4- log files (ie 'last' output) deleted
5- launching 'man' command it replies with "THE TERMINAL IS NOT
WORKINGPROPERLY"
6- found a "cocaine.c" file at '/' level in the filesystem

a pretty mess, uh?!!

I've tried to reset admin password from the LCD console, but no luck,
'passwd' comand is not working,yet and at the moment the server has no
admin password
I'm going to try with some cracking software to get through and get the
root back.


Isn't there a way to restore the machine with factory defaults, and
clean up filesystem and restart all services, properly ??

any idea ???

tnx in advance
etienne

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users