[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Hacked - Ambient's Rootkit for Linux ?
- Subject: RE: [cobalt-users] Hacked - Ambient's Rootkit for Linux ?
- From: BSmith@xxxxxxxxxxx
- Date: Fri Nov 8 14:08:02 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
-----Original Message-----
From: cobalt@xxxxxxxxxxxxx
Subject: [cobalt-users] Hacked - Ambient's Rootkit for Linux ?
Hi all,
I believe I have been hacked (well I'm sure, but I still have hope)
chkrootkit returns:
Checking `du'... INFECTED
The only patch I'm missing (I believe) is RaQ4-mod_ssl-2.8.4.pkg.
ANY Help and advice would be appreciated
Regards
Andy
_____________________________________
You could sit there, and re-install the RPMS from Cobalt's FTP site
(ftp-eng.cobalt.com)
or you can use CMU, back up your sites & data, re-install your software and
then put
back your sites & data. That would be my two cents worth.
If you just sit there, and try to repair it ... you do not know how much
they have "hacked"
or if the hack is still running, etc.
It is best to save your data (cobalt style), and re-do your entire box. Add
some additional
security, like IPchains, PortSentry, PM-Firewall, or anything like that.
Save your /var/log files, and spend a lot of scanning them, hopefully the
kiddie was stupid
and forgot to delete his presence (looking at like "last", and your
security.log).
Or pay someone a lot of money, and go through there.
I would just blast it, download all updates, turn off any service you do not
use, use ssh
change root password weekly, daily, or how ever, disable :81 (if you use
ssh, you can use
port forwarding, and connect to it via a local host setup). Block all
chilisoft ports, since
they just use it internally, limit FTP, block DNS (UDP), force it to go TCP,
a little slower
but, you have some better control with firewall software.
Best of luck!
~Brian