[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Another Exploit?!? (different than before)...
- Subject: Re: [cobalt-users] Another Exploit?!? (different than before)...
- From: "Kevin D" <kdlists@xxxxxxxxxxxxxxx>
- Date: Tue Dec 11 16:51:22 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Would love to help ya, kindof a hobby of mine... but need more info. You
obviously need to figure out how they got in, otherwise you can't figure out
what to patch :)
What version of ssh do you have? SSH 3.0 from SSH.com has a known root
exploit vulnerability. Older versions of proftp, the ftp server on the raq,
also have many known exploits (some of which use anonymous authentication,
which it looks like is what is being used here). Since the proftp daemon is
set by default to run as root, a proftp exploit is a root exploit.
Run "proftpd --v" (no quotes) at the command line and find out what version
of proftp you have running.
I don't suppose you happened to have an IDS/sniffer running at the time of
the exploit? Didn't think so. How about a file integrity checker (tripwire,
fcheck)? No? Oh well. What we don't have, we must live without...
Use the find command to search for any files with atimes, ctimes, and mtimes
that correspond with the exact date of the attack ("man find" for details).
If you haven't mucked around with the box too much yet, this will yield the
most promising results. If you've mucked around a lot with it, this won't
help you much.
Oh, and, try to relax...
Did I mention that you should unplug the box from the public network?
Kevin
----- Original Message -----
From: "Jordan Sharples" <jordan@xxxxxxxxxxx>
To: "Cobalt-Users@List. Cobalt. Com" <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Tuesday, December 11, 2001 12:11 PM
Subject: [cobalt-users] Another Exploit?!? (different than before)...
> Guys,
>
> Seems we were violated last night sometime just before midnight. I have
all
> the patches installed previously (and have rebooted) and have telnet
> disabled and use ssh. (Raq4i running all the patches).
>
> Problem is I have no idea how they got in or what to do to stop them. The
> only thing I can provide for clues is what they have done after they
gained
> access:
> - they added new users to the passwd and shadow files
> - they added new services to the inetd.conf file allowing telnet and root
> access on specific ports
> - the file LOGIN (f/s 12723) and XSTAT (f/s 12768) in the /bin/ dir have
now
> changed with the date/time the hack occurred. I will need these files from
> someone with a 4i as I need to replace them.
> - they created bogus directories in /sbin/ with three dots "..." -
nothing
> in them.
> - nothing located in the /tmp directory besides the normal stuff
> - they modified the .bash_history to redirect to /dev/null
> - There is several entries, approx 100 within 8 seconds, in the Secure log
> around the same time as the exploit with this syntax all trying different
> IP's on my network:
> " Dec 11 00:33:26 raq4-1 proftpd[31068]: my.ip.add.res
> (bzq-236-175.red.bezeqint. net[212.179.236.175]) - USER anonymous: no such
> user found from bzq-236-175.red. bezeqint.net [212.179.236.175] to
> my.ip.add.res:21"
>
> Possibly and FTP exploit? I dunno and it's starting to become and issue.
If
> there is a separate update that isn't included with the latest .pkg
> releases, could someone point me in the right direction?
>
> Thanks,
> Jordan Sharples
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>