[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] [RaQ3] Kernel IP routing table HACKED?

Subject: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?
From: enrique <enriquevega@xxxxxxx>
Date: Wed Jul 25 02:12:09 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

My RaQ3 was recently hacked by Dwarf. I was notified by a change to an
index.html page. When I tracked it, I found that they had somehow gotten
root access. So I've been in the process of trying to secure the RaQ3. I've
closed the system with hosts.deny and only host.allow a few known ip
numbers. But when I do an /sbin/route, I get a suspicous ip number
169.254.183.37 which seems to end up at blackhole.isi.edu.

Now, I am have little knowledge of linux and would like to ask you folks if
I have a open relay hack. If so, can you tell me what I need to do to stop
this? I have rebooted the box, but this ip address must be hardcoded
somewhere. Note that the xxx.xxx.xx.x is my ip address which I am not
showing for reasons you probably know.

I've included a couple of commands which show info, but I am unable to
decipher it. Thank you in advance for any assistance you can give!

[root@www admin]# /sbin/route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
169.254.183.37  *               255.255.255.255 UH    0      0        0 eth0
xxx.xxx.xx.x    *               255.255.255.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
default         xxx.xxx.xx.x    0.0.0.0         UG    0      0        0 eth0

[root@www admin]# /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:10:E0:01:28:89
          inet addr:xxx.xxx.xx.x  Bcast:xxx.xxx.xx.x  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:117588 errors:0 dropped:0 overruns:0 frame:0
          TX packets:117485 errors:0 dropped:0 overruns:0 carrier:0
          collisions:5232 txqueuelen:100
          Interrupt:11 Base address:0x1000

eth0:0    Link encap:Ethernet  HWaddr 00:10:E0:01:28:89
          inet addr:169.254.183.37  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:11 Base address:0x1000

To get rid of this ip, should I do the following?

/sbin/route add -host 169.254.183.37 reject

Will this remove them for ever? Even after a reboot?

enrique

Follow-Ups:
- Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?
  - From: flash22

References:
- [cobalt-users] [RaQ3i] testing an ethernet port for bad
  - From: Theo Jones

Prev by Date: [cobalt-users] Miva Upgrade to 4.00
Next by Date: [cobalt-users] Mailing List without MX on Raq?
Previous by thread: [cobalt-users] [RaQ3i] testing an ethernet port for bad
Next by thread: Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index