[cobalt-users] Another Exploit?!? (different than before)...

["Jordan Sharples" <jordan@xxxxxxxxxxx>]

Guys,

Seems we were violated last night sometime just before midnight. I have all
the patches installed previously (and have rebooted) and have telnet
disabled and use ssh. (Raq4i running all the patches).

Problem is I have no idea how they got in or what to do to stop them. The
only thing I can provide for clues is what they have done after they gained
access:
- they added new users to the passwd and shadow files
- they added new services to the inetd.conf file allowing telnet and root
access on specific ports
- the file LOGIN (f/s 12723) and XSTAT (f/s 12768) in the /bin/ dir have now
changed with the date/time the hack occurred. I will need these files from
someone with a 4i as I need to replace them.
- they created bogus directories in /sbin/ with three dots "..."  - nothing
in them.
- nothing located in the /tmp directory besides the normal stuff
- they modified the .bash_history to redirect to /dev/null
- There is several entries, approx 100 within 8 seconds, in the Secure log
around the same time as the exploit with this syntax all trying different
IP's on my network:
" Dec 11 00:33:26 raq4-1 proftpd[31068]: my.ip.add.res
(bzq-236-175.red.bezeqint. net[212.179.236.175]) - USER anonymous: no such
user found from bzq-236-175.red. bezeqint.net [212.179.236.175] to
my.ip.add.res:21"

Possibly and FTP exploit? I dunno and it's starting to become and issue. If
there is a separate update that isn't included with the latest .pkg
releases, could someone point me in the right direction?

Thanks,
Jordan Sharples