[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] dns server on raq3i
- Subject: Re: [cobalt-security] dns server on raq3i
- From: M Coltart <colt@xxxxxxxxxxxxx>
- Date: Mon, 19 Feb 2001 21:17:07 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Pasqi,
I would be trying to get to the server physically, ideally.
Try a reboot from the admin httpd interface and if neither service comes up
then you will need to get to the box.
You may have been hacked, if so BTW only discuss it in the security list
and not developers or users.
If you have been hacked and you need to get in bring up a Linux box. I have
used RH6.2 to do this, rip out the hard drive from the RAQ and mount it on
the new linux box, and replace the affected files from a spare copy. If you
need them ask I will send them directly. All told a typical root kit
affects about 10 to twenty files with hacks in the rc.local or other init
scripts.
Usually they replace login with a fake one that captures all passwords.
Ensure a pw roll for all users and root.
The other solution is the OS restore CD which in the end you very well may
have to do that as well. But the solution I stated above should at least
allow access to the data required and most importantly the log files if the
hacker did not edit them.
BTW take it off the real WWW while doing the maintenance.
Good luck and good hunting.
At 07:58 AM 2/17/01, Webline pdl wrote:
I have a RAQ3 only used as a primary DNS server.
Two days ago active monitor reported that the DNS service was not
responding.
Another symptom is that I can not estalish a TELNET session with SSH1.
Web is OK, FTP is OK, Mail is OK.
Any ideas out there...?
thanks pasqi
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security
Mike Coltart