[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] hack recovery question

Subject: RE: [cobalt-users] hack recovery question
From: "Matt" <mattm@xxxxxxxxxx>
Date: Thu Mar 27 13:18:00 2003
Organization: Parcom Internet Web Hosting
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Andy,

AMEN! 

This is the exact same problem after much research that I have found. ;-( 

What a pain in the a$$-- I am sure someone will figure this out someday..

Matt

-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx] On Behalf Of David J. Duffner
Sent: Thursday, March 27, 2003 12:56 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] hack recovery question


Andy,

	Having suffered a bizarre attack in November
and continuing into December, there's something
more to consider:

	We were unable to determine the exact source
of the attack.  If you have found the code embedded
in that RaQ and in backing up all the files can
eliminate it - great!

	If not, here's the lesson we learned:

	We constantly have backups weekly from the
various sites on the RaQ's via the GUI.  But not
being able to completely determine the access
path that was used and where the code was placed,
we backed everything up - wiped the RaQ(4r in this
case) and then reloaded.  Several things had to
be manually reconfigured, including the DNS and
site settings.

	We restored everything back to normal, put
the server back into action and went our merry
way.  Everything was fine for approximately 30
days, we had just about every security patch
and scan possible on the RaQ, the ethernet
connections and had the co-lo sitting on the
log files for anything strange.  Not a peep.

	Unfortunately, the RaQ went ballistic in
December with outbound attacks.  These attacks
had no pattern, no destinations with a common
theme to see who was doing this via the hack,
nothing!  Drove the NOC and us completely insane
for 7 days.

	The end result was wiping the RaQ completely
once again and reinstalling everything from original
files.  Apparently whatever hack was used, it was
embedded in such a manner that one of the domains
or some other restored backup contained files with
the ability to relaunch it.  Because those files
are proprietary via the RaQ, normal virus scanners
didn't pick up whatever it was (if it even could
be picked up).

	So, wipe & reload from the original files
if at all possible, rebuild the rest as if it
were your first day on the RaQ, reload virgin
copies of all .pkg files for any goodies you
had installed.

	Anything else may come back to haunt you.

	Word to the wise, I know I'll see flame-
filled responses but I'm just passing on lessons
learned.  Someone out there's managed to make a
monster hack that can be slipped into a RaQ by
some means and stay for dinner (and lunch and
January and February...).

	HTH!

      David J. Duffner
      VP Operations
      NWC Corporation
      Global E-Pay Solutions

      www.nwcxpress.com

>-----Original Message-----
>From: cobalt-users-admin@xxxxxxxxxxxxxxx
>[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On
>Behalf Of Andy Clyde,
>oxfordmusic.net
>Sent: Thursday, March 27, 2003 3:39 PM
>To: Cobalt Users
>Subject: [cobalt-users] hack recovery question
>
>
>i found out today that one of my RaQs has been
>hacked. i'm trying to backup
>all the data in order for my colo to do a rebuild
>on it and i justw ant to
>check to see what i need to back up.
>the server does not host any sites per se. we use
>it for backing up MySQL
>file from my two other RaQ4s, all the user/site
>data from one of the RaQ4s
>(all the site data from the other RaQ4 is stored
>locally on my PC anyway)
>and as secondary DNS for the second RaQ4.
>here's what i'm backing up:
>
>all MySQL backups
>the last site data back up from the RaQ4
>
>can i back up my DNS files? or will i have to
>recreate them once the server
>is rebuilt?
>
>heads up to Gerald Waugh who i rang and advised me
>on the best course of
>action.
>
>thanks
>
>andy
>
>
>
>_____________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to: 
>http://list.cobalt.com/mailman/listinfo/cobalt-users
>

_____________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

References:
- RE: [cobalt-users] hack recovery question
  - From: David J. Duffner

Prev by Date: [cobalt-users] [RAQ4] Cobalt PHP/Postgres - Pkgmaster-PHP 4.1.2 - Nuonce-4.2.3 Upgrade Story Warning (Sequel coming 2004)
Next by Date: [cobalt-users] hack again - how to drop a connection
Previous by thread: RE: [cobalt-users] hack recovery question
Next by thread: Re: [cobalt-users] hack recovery question

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index