RE: [cobalt-users] Another Exploit?!? (different than before)...

["Jordan Sharples" <jordan@xxxxxxxxxxx>]

> Would love to help ya, kindof a hobby of mine... but need more info. You
> obviously need to figure out how they got in, otherwise you can't figure
out
> what to patch :)

> What version of ssh do you have? SSH 3.0 from SSH.com has a known root
> exploit vulnerability. Older versions of proftp, the ftp server on the
raq,
> also have many known exploits (some of which use anonymous authentication,
> which it looks like is what is being used here). Since the proftp daemon
is
> set by default to run as root, a proftp exploit is a root exploit.

Kevin - this is the version of SSH that is installed:
http://pkg.nl.cobalt.com/i386/RaQ3-RaQ4-OpenSSH-Server-2.1.1p2.pkg

> Run "proftpd --v" (no quotes) at the command line and find out what
version
> of proftp you have running.

Proftpd -vv returns version 1.2.2rc1

> I don't suppose you happened to have an IDS/sniffer running at the time of
> the exploit? Didn't think so. How about a file integrity checker
(tripwire,
> fcheck)? No? Oh well. What we don't have, we must live without...

No sorry, no sniffer was running.

> Use the find command to search for any files with atimes, ctimes, and
mtimes
> that correspond with the exact date of the attack ("man find" for
details).
> If you haven't mucked around with the box too much yet, this will yield
the
> most promising results. If you've mucked around a lot with it, this won't
> help you much.

I already ran the find command previously that is how I found the other
files that have changed. It doesn't appear that they actually "did" anything
besides gain entry.

> Oh, and, try to relax...

Sure, relax, I should have been a car salesman like my Dad told me to be...
Jordan.