[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Cant login using SSH
- Subject: Re: [cobalt-users] Cant login using SSH
- From: Nucharin Jansen <nucharin@xxxxxxxxxxx>
- Date: Mon Oct 21 12:29:01 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
It is possible that you attacked by slapper.worm
http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.html
and he install some rootkit in /tmp
You have to enable telnet in control panel and telnet to your box.
Then download and run checkrootkit. http://www.chkrootkit.org
the rootkit replace some system files to hidden the process and files.
and ablitity to login as root.
[--ARK version 1.0 - Ambient's Rootkit for Linux--]
THIS PACKAGE IS STRICTLY PRIVATE
**DO NOT SPREAD THIS AROUND**
This package includes backdoored versions of:
syslogd
login
sshd
ls
du
ps
pstree
killall
top
netstat
Quick explanation:
syslogd Prevents logging if they match a certain string in
/dev/ptyxx/.log
login Login: arkd00r , Password: <yourpassword>
and you got a rootshell.
sshd Login: root , Password: <yourpassword>
will spawn a .. guess what?
ls File hiding using /dev/ptyxx/.file as the index
du eq. ls
ps Hide processes saved in /dev/ptyxx/.proc
(LRK style, explanation stolen too ;-) w00h, evil me!)
Example data file:
0 0 Strips all processes running under root
1 p0 Strips tty p0
2 sniffer Strips all programs with the name sniffer
3 hack Strips all programs with 'hack' in them
ie. proghack1, hack.scan, snhack etc.
pstree eq. ps
killall eq. ps
top eq. ps
netstat For hiding Ports, Connections, etc. saved in /dev/ptyxx/.addr
(LRK style, explanation stolen too ;-) w00h, evil me!)
type 0: hide uid
type 1: hide local address
type 2: hide remote address
type 3: hide local port
type 4: hide remote port
type 5: hide UNIX socket path
Example data file:
0 500 <- Hides all connections by uid 500
1 128.31 <- Hides all local connections from 128.31.X.X
2 128.31.39.20 <- Hides all remote connections to 128.31.39.20
3 8000 <- Hides all local connections from port 8000
4 6667 <- Hides all remote connections to port 6667
5 .term/socket <- Hides all UNIX sockets including the path
.term/socket
Gr33tZ (in no particulair order) fly out 2:
ice-devil, Beast|E, togooz, orangehaw, CuCc`, mo`,
^Trance^, [dG], deaddrokz, Annihi|aT, Leentje..
and ofcourse whoever i forgot to mention..
not that you're forgotten though ;-)
- |Ambient|
bash# whereis sshd
sshd: /usr/sbin/sshd /usr/local/sbin/sshd /usr/man/man8/sshd.8.gz
bash# ls -al /usr/sbin/sshd /usr/local/sbin/sshd
-rwxr-xr-x 1 root root 787600 Oct 21 13:17 /usr/local/sbin/sshd
-rwxr-xr-x 1 root root 796044 Jul 31 09:43 /usr/sbin/sshd
bash# whereis ssh
ssh: /usr/bin/ssh /etc/ssh /usr/local/bin/ssh /usr/man/man1/ssh.1.gz
bash# ls -al /usr/bin/ssh /etc/ssh /usr/local/bin/ssh
-rwxr-xr-x 1 root root 755436 Jul 31 09:43 /usr/bin/ssh
-rwxr-xr-x 1 root root 770140 Oct 21 13:17 /usr/local/bin/ssh
/etc/ssh:
total 102
drwxr-xr-x 2 root root 1024 Oct 21 14:33 .
drwxr-xr-x 39 root root 3072 Oct 21 14:54 ..
-rw------- 1 root root 88039 Jul 31 09:43 moduli
-rw-r--r-- 1 root root 1144 Jul 31 09:43 ssh_config
-rw------- 1 root root 668 Apr 4 2002 ssh_host_dsa_key
-rw-r--r-- 1 root root 590 Apr 4 2002 ssh_host_dsa_key.pub
-rw------- 1 root root 515 Apr 4 2002 ssh_host_key
-rw-r--r-- 1 root root 319 Apr 4 2002 ssh_host_key.pub
-rw------- 1 root root 887 Apr 4 2002 ssh_host_rsa_key
-rw-r--r-- 1 root root 210 Apr 4 2002 ssh_host_rsa_key.pub
-rw------- 1 root root 2406 Jul 31 09:43 sshd_config
bash#
> HI there,
>
> I have not done anything in recent days to the server and all of a sudden I can
> not login using Putty and SSH..
>
> I rebooted the server and still keep getting connection refused.
>
> Any one got any ideas.
>
> Thanks
>
> Ian
>
>
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users