[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] [RaQ3i] interesting hack symptoms
- Subject: Re: [cobalt-security] [RaQ3i] interesting hack symptoms
- From: Theodore Jones <theoj@xxxxxxxxxxxxx>
- Date: Fri, 03 Nov 2000 16:17:21 -0800
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Peter,
> Try tail /etc/inetd.conf mainly, the bindshells are located there.. If
> they installed a rootkit allready, the bindshell will be a sshd on a
> different port, or a /bin/login backdoor.
Do you mean that I would see a sshd reference in "inetd.conf"?, or a
"/bin/login" reference in there also near the end of the file -- that simple?
> If thats the case, i would
> suggest reinstalling.. You'll never know what files are backdoored 100%.
> Also, disabeling Anonymous ftp doesn't solve things. People with an account to
> the box can also use an exploit, and hack your system.
Granted, although it greatly reduces the ammount of access to the box
right now if I disable the Anon account, and I trust the 7 or eight accounts that
people mainly use for mail and FTP on the machine right now. I'm generally
watching everything like a hawk also when I'm working all day at my desk...
> I would install the latest version of the ftpd your using. There's a public
> patch for ProFTPd available from cobalt. And for wu-ftpd, you can get the
> tar.gz from ftp.wu-ftpd.org.. rpms can be found at
Does that patch require the installation require the update of OS3?.... I
haven't done that one yet because of all the horrors I heard about from other
users on the regular cobalt list....
Thanks Much for your input!,
~ Theo