[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] RaQ2 Hacked - sshd vulnerability?
- Subject: Re: [cobalt-users] RaQ2 Hacked - sshd vulnerability?
- From: Diana Brake <diana@xxxxxxxxxxxxx>
- Date: Mon Jan 7 19:27:15 2002
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
At 01:47 AM 1/7/02, you wrote:
Hi,
At 19:12 06-01-2002 -0500, Diana Brake wrote:
>The intruder didn't seem to do much, or even attempt to hide his
>tracks...but he installed ettercap in root's home directory and set the
>network card into promiscuous mode.
I hope that you notified the network admin of that.
>My colo's security guy seemed adamant that it was the telnet vulnerability,
>but I've had telnet turned off via the GUI for nearly a year. The logs
>showed this:
Did you ask the person why he saw Telnet running on your box?
>Unusual System Events
>=-=-=-=-=-=-=-=-=-=-=
>Jan 6 01:43:32 ****** sshd[31743]: Accepted password for ROOT from
>64.224.118.113 port 2756 ssh2
This may not mean anything except that someone logged in as ROOT after the
box was compromised.
<stuff snipped>
Thanks sm,
I did tell the network/security guy at the colo about the promiscuous
setting on the card...we all changed passwords for everything...and it's a
small outfit that has somehow escaped the "big fish" ISP buyouts...:)
They're good people so I hope it stays this way. I'll have to ask him more
about why he was so sure telnet was running. I had disabled it from the
GUI...double checked to see that it was commented out in the
inetd.conf...and set portsentry to fire its stuff whenever port 23 was
probed. The box is disconnected now and when I get it here in my hands,
I'll go through it to see that this remained true. Given that I think it
was the ssh thingy...not the telnet exploit. Given his experience and
expertise, I was surprised that he hadn't heard of ettercap and its ssh
sniffing abilities on a switched LAN...which he thought made it safe...(the
switched part)..:)
Anyway..I'm counting my lucky stars and thanking God I didn't fare
worse.....and hoping to learn something from this.
see ya,
Diana <--- off to look for system utilities
Crest Communications, Inc. diana@xxxxxxxxxxxxx
Beautiful Sunny Florida http://crestcommunications.com/
352-495-9359, 425-732-9785 fax