[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] I've been hacked

Subject: RE: [cobalt-users] I've been hacked
From: "Gavin Nelmes-Crocker" <cobalt@xxxxxxxxxxxxxxxx>
Date: Fri Jun 21 04:14:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

> Someone got into my Raq4 last night and dropped a new home 
> page with one graphic file onto 2 sites. I has OS2, the 
> latest PHP, webmail and webalized from pkgmastrer.com running 
> on the server, but that was about it. To combat the problem, 
> I changed the servers passwords right away before I put in 
> the latest patches, and I was hacked again before the latest 
> patches went in, including the Security Bundle 2.0.1. I 
> changed the passwords again.
> 
> I am not seeing where the person got in. Any thoughts?

First off once you've been hacked - that's it its best to move all the
sites onto another RaQ rebuild that RaQ install all patches and then
connect back to the net.  One of the first things a hacker does when
they get in is to make sure they can get in again later even if you
change passwords install patches etc its called a backdoor and it could
be anywhere.

If the hacker is good you may never really be sure how they got in - I
believe there are crime units who will look into it but you have to keep
the hard drive as it is for them and the chances are that not much will
happen so its probably best just to accept it as part of the rich
tapestry of the internet and get on with it.

Next once you have restored your RaQ patched it up to date installed
your pkgs from pkgmaster then install portsentry either from sources
(plenty of info in the archive) or pkg if you want from
www.cobaltworld.com then downloads then install logcheck (again look in
the archives) make sure you turn off telnet and install SSH from
pkgmaster and then edit the sshd_conf in /etc and only allow ssh2 to
connect and then finally on your main site issue a self signed
certificate which will allow all your customers to access their admin
pages as https:// they will get a non trusted warning but at least they
can look at the cert see its from you and know its ok better than having
your passwords sniffed.

I think that's all for now should keep you occupied for today, I'm sure
some others will have some views as well if I have missed anything out.

Gavin

Follow-Ups:
- Re: [cobalt-users] I've been hacked
  - From: wcstaff

References:
- [cobalt-users] I've been hacked
  - From: Linuxman

Prev by Date: [cobalt-users] quacke server on qube3
Next by Date: RE: [cobalt-users] I've been hacked
Previous by thread: [cobalt-users] I've been hacked
Next by thread: Re: [cobalt-users] I've been hacked

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index