[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] February Hack Update
- Subject: [cobalt-security] February Hack Update
- From: "Lawrence Frewin of Accommodation.com" <Lawrence@xxxxxxxxxxxxxxxxx>
- Date: Mon, 5 Mar 2001 08:59:28 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
We have finished checking our RAQ3 following a serious root hack in February
using the Bind exploit. This is what we have found so far by comparing the
hacked machine with a good machine:
1) A file called "erkms.tgz" (probably a Trojan rootkit) was found in "/tmp"
directory. The file had not been executed. A directory called "erkms" was
also created although it was empty.
Advice: run a check for the "erkms.tgz" file and directories.
Also check for
/dev/hdcc
/dev/hdbb
/dev/ptyq
as the presence of these may indicate that the script was at least partly
executed.
2) A file called "init" was put into the "/usr/sbin" directory and a process
called "init" was activated every 5 minutes by executing the init file from
crontab. Two "init" processes were therefore running at the same time. The
purpose of the new init process unknown, but it may open port 681.
Advice: Check for the ""/usr/sbin/init" file, check your crontab entries and
check what processes are running. Look for an "init" process other than that
found at PID1 using "ps -ax".
3) A file called "cronlogd" was put into the "/usr/sbin" directory and
changes were made to "/etc/rc.d/rc.sysinit" to add the text
"/usr/sbin/cronlogd" at the end which launches "cronlogd" as a process. The
purpose of the cronlogd process is unknown, but it may open port 32.
Advice: Check for "usr/sbin/cronlogd", check the "/etc/rc.d/rc.sysinit"
file has not been tampered with and what processes are running using
"ps -ax".
4) Changes were made to the file "inetd.conf" and also to the file
"inetd.conf.noqpopper", both found in the "/etc" directory. A new line
reading "4512 stream tcp nowait root /bin/sh sh -i" was added to both files
which opens port 4512.
Advice: check what ports you have open using
netstat -ap | grep "*:*"
Check both of the above files have not been tampered with.
5) We also believe part of the hack was designed to make it impossible for
us to update Bind with patches from Cobalt, either through the GUI or using
wget. We got stuck at version BIND-8.2.2_P7-C1 until we manually
transferred a copy of named BIND-8.2.3-C1 using FTP from a good machine to
get the update in place.
Advice: Check you have BIND-8.2.3** or better in place using "named -v" from
the command line. Anything less is an open door.
6) We have a suspect small text file called "la.pid" in both "root" dir and
"/usr/sbin" dir. Web security pages suggest this could be an indicator of
whether malicious code has been properly installed or not. It is not found
on a good machine.
Advice: Try a "locate la.pid" from the command line. Any advice or updates
on this last file or the other malicious files or processes is welcome.
Needless to say this machine is now going offline for a full re-install.
LF