[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] pkg.nl.cobalt - Open SSH

Subject: Re: [cobalt-users] pkg.nl.cobalt - Open SSH
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Date: Mon Jan 14 22:10:32 2002
Organization: nobaloney.net
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

_ cbtrussell _ wrote:

> So how did you know you were compromised? How did they get in? (I'm asking
> because I'm trying to learn to identify the signs....)

Because I was sitting at my system at the time it happened, and all of a
sudden I couldn't log in to check email anymore (I check email on their
system every five minutes, as a kind of rudimentary "ping" of the
connection).

I found the rootkit...

> >I have a copy of the rootkit, it was left on the machine for others to
> >download <frown>, but I don't think I'm going to give it to anyone.

I ended up not downloading the rootkit, and...

> Did you/are going to just do a fresh restore?

once we found the rootkit was NOT in userspace, we used CMU, restored
the system, and then restored the CMU.  Everything worked fine.  But we
did manage to "lose" the rootkit.  Which appears to be an LKM that was
too new or too different to be caught by chkrootkit.

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA  92517
voice: (909) 778-9980  *  fax: (702) 548-9484

Follow-Ups:
- Re: [cobalt-users] pkg.nl.cobalt - Open SSH
  - From: cbtrussell
- Re: [cobalt-users] pkg.nl.cobalt - Open SSH
  - From: Bill Gunning

References:
- Re: [cobalt-users] pkg.nl.cobalt - Open SSH
  - From: _ cbtrussell _

Prev by Date: Re: [cobalt-users] pkg.nl.cobalt - Open SSH
Next by Date: Re: [cobalt-users] [raq4] FTP - Admin user denied ?!!?
Previous by thread: Re: [cobalt-users] pkg.nl.cobalt - Open SSH
Next by thread: Re: [cobalt-users] pkg.nl.cobalt - Open SSH

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index