[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Another Exploit?!? (different than before)...

Subject: Re: [cobalt-users] Another Exploit?!? (different than before)...
From: "Kevin D" <kdlists@xxxxxxxxxxxxxxx>
Date: Thu Dec 13 06:54:02 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> Kevin - this is the version of SSH that is installed:
> http://pkg.nl.cobalt.com/i386/RaQ3-RaQ4-OpenSSH-Server-2.1.1p2.pkg

Update ssh to the latest package.
http://www.openssh.com/security.html
shows that there are several security issues and there is an updated package
at http://pkg.nl.cobalt.com/i386/
The latest version of open ssh is 3.0.2.

> Proftpd -vv returns version 1.2.2rc1

The proftpd.org web site claims that there are no known security issues with
this version of proftpd. However, there are later releases of proftp that
you can compile and install on your raq if you're paranoid.

> No sorry, no sniffer was running.

Get tripwire or fcheck. They help IMMENSELY with intrusion detection by
telling you exactly which files have been modified, and when. fcheck is open
source and free. They are better than timestamps because timestamps can
easily be altered. I would also set up a sniffer and keep it running for a
while. If a breach does occur again, this will give you the best data to
analyse and figure out what the heck is going on.

I would also try to correlate that IP with anything else in all of the other
logs (including http). If you haven't already, try to talk to the ISP that
is responsible for that IP. If you're really lucky, you'll get a cool admin
who may be able to provide you with helpful info.

If I were you, I would painstakingly check each version of all of your
public services (pop, dns, www, etc.) for version numbers, then check the
vendor web sites for security issues. Also, there's a chance that the
hackers are getting in via CGI scripts, so make sure you check the combined
http logs for funny stuff (especially key words like "passwd" and "../" and
"%2F" and such).

 > > Oh, and, try to relax...
>
> Sure, relax, I should have been a car salesman like my Dad told me to
be...

Your biggest worry with a compromise like this is web site defacement and
spam. If you have another server, now would be a good time to transfer all
live web sites / email off this server until you can figure out how you're
being exploited.

That said, most hackers don't try to hinder the operation of your server,
although the poor ones sometimes end up doing that. They want your box to
stay running so they can have an owned box as long as possible without
alerting the admin.

Kevin

References:
- RE: [cobalt-users] Another Exploit?!? (different than before)...
  - From: Jordan Sharples

Prev by Date: [cobalt-users] Apache 1.3.20 pkg
Next by Date: Re: [cobalt-users] Cannot delete sites from a RaQ4
Previous by thread: RE: [cobalt-users] Another Exploit?!? (different than before)...
Next by thread: RE: [cobalt-users] Another Exploit?!? (different than before)...

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index