[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] HACK on RAQ3i

Subject: RE: [cobalt-security] HACK on RAQ3i
From: "malcolm wild" <cobaltsec@xxxxxxxxxxx>
Date: Sat, 3 Mar 2001 12:39:35 -0000
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

I'd advise do the following things

If you 'rarely' telnet in
then they may have a packet sniffer somewhere on your subnet
I'd suggest portscanning (i.e. use Saint for linux) and have a look at
whats listen locally.  Its often common that hackers breach weak machines on
a subnet then snif the better boxes that they really want.
As all the admin passwords for the .htaccess are send in plain text this is
a common
way to get hold of them

If you find a listener, set a 'honey pot' (a spare box with loads of open
ports running vulenrable binaries)
And run Tripwire - (tip only have the box switched on during office hours so
you can respond fast).
set up a packet sniffer like the ones from eeye.com to monitor packets for
that IP address as a secondary measure
as soon as they try to breach your 'honey pot' so should be able to trace
them as they do it.
Its a long shot, but its a good way to catch em!

-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of
kcelik@xxxxxxxxxxxxxx
Sent: 03 March 2001 06:53
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: [cobalt-security] HACK on RAQ3i


Hi,

we have just traced a hack into our primary NS  its a  Trin00 Deamon for
DDOS attacks.

The funny thing is that  this box has no Virtual sites and no ftp but
Telnet enabled on it. I can't  see how they would have accessed the root
shell. We continously change our paswwords on a rolling week basis and to
be honest rarely telnet to the box anyway.

I have had applied all patches from cobalt to this box and yet the hack
was established. One of the signature files was an erase of the
/var/log........ Message, secure and some other log files.

Also it took us sometime to trace the attack as it was being initiated
from our box out as DDOS attacks are this type.

Appart from the log files are ther any other hidden logs I can view to see
what has take place???

Is my only recourse a Recovery CD. What else can I do track the
SH#$@#@$#@$@$@#$ head who did this...



Regards  KEN

____________________________________________________________________
Kenedi Celik Email:  Kcelik@xxxxxxxxxxxxxx
Mob:   +614 12 980 980


_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

References:
- [cobalt-security] HACK on RAQ3i
  - From: kcelik

Prev by Date: RE: [cobalt-security] HACK on RAQ3i
Next by Date: RE: [cobalt-security] RE: [cobalt-users] Cobalt to provide compensation for server hack?
Previous by thread: RE: [cobalt-security] HACK on RAQ3i
Next by thread: RE: [cobalt-security] HACK on RAQ3i

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index