[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] possible compromise

Subject: RE: [cobalt-security] possible compromise
From: "malcolm wild" <cobaltsec@xxxxxxxxxxx>
Date: Wed, 24 Jan 2001 17:02:39 -0000
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

hmm always a worry!

tips - if you have access to more RaQs of the same spec compare the file
size of things like 'top' 'login' etc commonly replaced by rootkits with
other versions that hide what the hackers doing. Also check for mod dates on
any of these files.
do a search for file/folder names ... often used to hidden software. If they
have then you can reinstall the system RPMs over the top, but you might not
get everything!

if you have a spare server I'd suggest running the migrate util from
cobalt.com and then restoring that box, but its always a last resort if your
not 100% you've been had.

if you machines hosted at an ISP farm its possible they may have caused the
server to stop, ie. installing a new server on the subnet with the same IP
causing both ethernet cards to lock up, does happen!

the good news is most hackers don't want to take down the box just use it to
leap frog somewhere else, so its unlikely to go down unless they f~~k up
anything (scriptkiddies!) So you've got some time on your side.  Make sure
everything in the home directory is backuped and any DB stuff you might
need.



-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Kevin D
Sent: 24 January 2001 16:11
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: [cobalt-security] possible compromise


I believe my Raq3i may have been compromised. At 2:39am this morning it
stopped responding, and my monitoring software reports a change in my
passwd, group, and shadow files. I did a quick audit of those files and
there are no additions.

I checked all of my logs which abruptly stop at 2:39am, and don't start
again until 9:49 (the time of reboot). I portscanned the server, to find no
additional open ports, and checked listening ports with netstat -l. So far,
so good. I also did a find for files with modified timestamps, and took a
quick look at those.

Is there anything else I should check to verify that nothing has been
compromised? Any advice as to where to go to figure out what the heck
happened?

Kevin

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

Follow-Ups:
- Re: [cobalt-security] possible compromise
  - From: Kevin D

References:
- [cobalt-security] possible compromise
  - From: Kevin D

Prev by Date: [cobalt-security] possible compromise
Next by Date: Re: [cobalt-security] Re: cobalt factory usernames
Previous by thread: [cobalt-security] possible compromise
Next by thread: Re: [cobalt-security] possible compromise

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index