[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] extreme newbie with possible virus
- Subject: Re: [cobalt-users] extreme newbie with possible virus
- From: Christopher Jay Manders <Chris.Manders@xxxxxxxxxxxxxxxx>
- Date: Fri Sep 28 09:48:18 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hi,
You may have either a worm or have been hacked.
The way to tell is:
Get another computer running Linux or something and put it _right_ next
to the
RaQ on the same hub/switch. If it is a switch you may need to hook a hub
up to
that port on the switch and then to yout Linux box and the RaQ. This
allows you
to snoop the traffic to and from the RaQ, since most switches do not
echo
traffic to all ports on the switch like hubs do. If you have a good
switch
(Cisco, Bay Networks, etc) you might be able to set it to echo all
traffic to
some specific port where your Linux machine is. Then use 'sniffit' or
some
similar program to sniff packets and watch for activity. There are many
local
ports that are legit, so watch for activity that looks like _alot_ of
ports and
IPs.
Unfortunately, there is little to do except call an expert to have a
look,
really, if any of that sounded like Greek, or difficult. This is due to
the fact
that once ON the machine, certain programs are installed to HIDE you
from being
able to SEE what is going on. Both worms and hackers do that. The
typical
'rootkit' (what that process and what the kit it is done with are
called)
replaces stuff like: netstat, ls, ps, ssh, sshd, ptrace, strace, .. and
lots
more...so it is really, really hard to catch them. The best thing to do,
if you
really think it has a problem is to unplug it from the net without
letting the
hacker know you are there, as often they will delete files or do
something
nasty, like 'rm -fr /' if they find they have been discovered. So,
unplug it
from the net suddenly and have the 'security expert' give it a once-over
immediately. DO NOT SHUT DOWN, as there may be memory-resident stuff
that can
pinpoint where they came from, how they got on, what they were typing
and what
their intent was, that if you reboot or shut off anything could be lost.
This is
necessary if you ever plan to follow up with FBI or law enforcement. I
suspect
if it is really hacked you will need to re-install from the original OS
media to
make sure they cannot get back on your machine...A typical trick of
hackers
should you not do 'security tightening proceedures' on the machine is to
come
right back using the SAME way they got on before.
I hope that helps.
Christopher
Lenore Howe wrote:
> I have recently (a week ago) inherited the job of webmaster due to a layoff.
> I am running a Cobalt RAQ3 with OS 5.0. Last Friday, I got an email from
> someone saying that my server was port-sniffing which probably indicated
> that I had some sort of virus. Since then, I've heard from different sources
> that Norton Anti-virus software signals the presence of a virus on pages
> downloaded from the website.
>
> I have scanned the backed up pages of the website for a virus using McAfee
> and have found nothing. I have installed all of the updates and patches and
> still I'm hearing from people about a virus.
>
> Can someone help me figure out how to determine IF I have a virus and what I
> can do about it? How far back do I have to go in my backups to insure that
> I have a clean version of the website? At the Server Management console, all
> of the services are running fine.
>
> Thanks.
>
> Lenore Howe
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users