RE: [cobalt-security] HACK on RAQ3i

[M.C.Hudson@xxxxxxxxxx]

> -----Original Message-----
> From: kcelik@xxxxxxxxxxxxxx [mailto:kcelik@xxxxxxxxxxxxxx]
> Sent: 03 March 2001 06:53
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: [cobalt-security] HACK on RAQ3i
> 
> 
> Hi,
> 
> we have just traced a hack into our primary NS  its a  Trin00 
> Deamon for 
> DDOS attacks.

If it's a nameserver it may well have been hacked using the recently
published exploit for BIND. Are you positive you are running the latest
version of BIND?

The hacker will then tend to put a rootshell on a particular port meaning
all they have to do is telnet yourbox.com 12345 (or whatever port number
they choose) and they're straight into a root shell, no password needed.

Grab a copy of Nessus and scan your Raq with it. It will list all the open
security holes.

Mark

> Appart from the log files are ther any other hidden logs I 
> can view to see 
> what has take place??? 

Check /etc/inetd.conf and even /etc/services to see if there have been any
modifications to them. Your box may have been "rootkitted", ie. tools such
as ls, cat, netstat etc have all been replaced with versions which will not
reveal traces of an exploit. There are ways around this however, do

echo *
echo .*

to list all files in a directory without using the ls command.

> 
> Is my only recourse a Recovery CD. What else can I do track the 
> SH#$@#@$#@$@$@#$ head who did this...
> 

See if you have any router logs etc. Do you run any kind of monitoring on
your router? Cisco Netflow monitoring or 3com traffix manager with an RMON2
probe are excellent for this kind of thing. Once you know the port number
that they came in on you can look back through your traffix logs to see
where traffic to that port came from....

Mark