[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] RaQ2 Hacked - sshd vulnerability?
- Subject: Re: [cobalt-users] RaQ2 Hacked - sshd vulnerability?
- From: SM <nntp@xxxxxxxxx>
- Date: Mon Jan 7 05:07:01 2002
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hi,
At 19:12 06-01-2002 -0500, Diana Brake wrote:
>The intruder didn't seem to do much, or even attempt to hide his
>tracks...but he installed ettercap in root's home directory and set the
>network card into promiscuous mode.
I hope that you notified the network admin of that.
>My colo's security guy seemed adamant that it was the telnet vulnerability,
>but I've had telnet turned off via the GUI for nearly a year. The logs
>showed this:
Did you ask the person why he saw Telnet running on your box?
>Unusual System Events
>=-=-=-=-=-=-=-=-=-=-=
>Jan 6 01:43:32 ****** sshd[31743]: Accepted password for ROOT from
>64.224.118.113 port 2756 ssh2
This may not mean anything except that someone logged in as ROOT after the
box was compromised.
>This machine was not doing anything functional...no hosting anyway. I use
>it to play around and test stuff so I don't break my real working machine.
>I've shut it down and my intention is to bring it home and hook it up so I
>can "play" with it some more and see what else might have been done. Any
>suggestions on where and what to look for would be greatly appreciated.
>Thank goodness for logcheck...:)
Thank goodness the visitor was clueless. :) Do a web search on forensics.
You should not trust the utilities on the system to find out what really
happened. You can install the hard disk on another computer (do not use
the compromised system to boot) and analyze it.
Regards,
-sm