[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Hacked Cobalt Servers
- Subject: RE: [cobalt-users] Hacked Cobalt Servers
- From: "Kevin" <owner@xxxxxxxxxxxxx>
- Date: Wed Apr 16 22:44:01 2003
- Organization: Worldcops
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx] On Behalf Of Bill Gunning
Sent: Wednesday, April 16, 2003 8:57 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] Hacked Cobalt Servers
How did you find out it was hacked? Is their something
we should be looking for? Did <http://www.cobaltfaqs.com/>BRT chkrootkit
Release 0.39a-04
find the hack?
Bill
At 01:04 PM 4/16/2003 -0700, you wrote:
>>Just wondering if and how many other cobalt servers have been hacked
>>lately, and if by the same group or person?
>>
>>Mine was hacked last weekend by Blood Br. Dumped and reloaded from a
cmu
>>file. There probably was a better way to setup the DNS server, but I
did
>>it one at a time.
>
>My Qube 3 was hacked last weekend too. I haven't had time to track down
>any info on the culprit yet, but their email addy is: maildevraja@xxxxx
>
>Tom
>
>_____________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users
I looked at my webpage and found a big GIF. Also found that however they
did it they replaced every index.html file in all the sites across the
server. Only that one file was defaced server wide.
They also directed my telnet login to something they had added to
/dev/tux which refused my admin login. I was able to SFTP and SSH into
the server, but lost that after I was forced to hard boot the server at
the CO-LO.
Since we have some Law types on the server they did some cyber tracking
and turned up this:
Organization:
hellsink hellsink
HELLSINK HELLSINK
AV ACOCE 296 - APTO 154
SAO PAULO, SP 04075021
BR
Phone: 21-3254871-
Fax..: 0000-0000
Email: hellzito@xxxxxxxxxx
Someone answered the email that was sent by a law type and it got ugly
as to he was not US and they can't do nothing about it.
There is a bit more to it, but I don't want to bore anyone with details.
They did admit that it was a sendmail exploit that was used, but no
details about how they did it.
WC