[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] [RaQ3i] interesting hack symptoms
- Subject: Re: [cobalt-security] [RaQ3i] interesting hack symptoms
- From: Linking Internet - Peter Batenburg <peter@xxxxxxxxxx>
- Date: Sat, 04 Nov 2000 21:22:07 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
At 16:17 3-11-00 -0800, you wrote:
Peter,
> Try tail /etc/inetd.conf mainly, the bindshells are located there.. If
> they installed a rootkit allready, the bindshell will be a sshd on a
> different port, or a /bin/login backdoor.
Do you mean that I would see a sshd reference in "inetd.conf"?, or a
"/bin/login" reference in there also near the end of the file -- that simple?
you will probably see a line like this: 9035 stream tcp nowait root /bin/sh
sh -i
9035 is the portnumber.. and the /bin/sh sh -i tells inetd to execute a
root shell when connecting to port 9035..
> If thats the case, i would
> suggest reinstalling.. You'll never know what files are backdoored 100%.
> Also, disabeling Anonymous ftp doesn't solve things. People with an
account to
> the box can also use an exploit, and hack your system.
Granted, although it greatly reduces the ammount of access to the box
right now if I disable the Anon account, and I trust the 7 or eight
accounts that
people mainly use for mail and FTP on the machine right now. I'm generally
watching everything like a hawk also when I'm working all day at my desk...
big rule in security.. never trust anybody.. ive seen cases where co-admins
were rooting each other's boxes, and installing trojans and sniffers just
for fun..;)
> I would install the latest version of the ftpd your using. There's a public
> patch for ProFTPd available from cobalt. And for wu-ftpd, you can get the
> tar.gz from ftp.wu-ftpd.org.. rpms can be found at
Does that patch require the installation require the update of
OS3?.... I
haven't done that one yet because of all the horrors I heard about from other
users on the regular cobalt list....
i don't know really.. i installed all patches on a number of cobalts on my
network, and noting failed.. everything is fine..
the thing i did the first time, is cloning the cobalt harddrive with norton
ghost to another 20gb drive.. (while putting the cobalt drive in another pc)
and then put the cobalt drive back.. and went installing.. at some part, i
fucked up bigtime (noting to do with updates.. more editing files that i
shouldn't had..;)
put the drive in the other pc again.. ran gost.. and put the out-of-the-box
installation back..;) it's not a simple solution, but i works.. and you can
test if the cobalt updates will cause any problems.. don't forget that
opening your cobalt will void you warranty!
Thanks Much for your input!,
no thanks..;) glad to help you!