[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] February Hack update

Subject: [cobalt-security] February Hack update
From: Stoopidcoopid@xxxxxxxxx
Date: Sun, 4 Mar 2001 20:01:22 -0000
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

We have finished checking our RAQ3 following a serious root hack in February
using the Bind exploit. This is what we have found so far by comparing the
hacked machine with a good machine:

1) A file called "erkms.tgz" (probably a Trojan rootkit) was found in "/tmp"
directory. The file had not been executed. A directory called "erkms" was
also created although it was empty.

Advice: run a check for the "erkms.tgz" file and directories.
Also check for
  /dev/hdcc
  /dev/hdbb
  /dev/ptyq
as the presence of these may indicate that the script was at least partly
executed.


2) A file called "init" was put into the /usr/sbin" directory and a process
called "init" was activated every 5 minutes by executing the file from
crontab. Two "init" processes were therefore running at the same time,
purpose of the new process unknown.

Advice: Check for the "init" file, check your crontab entries and check what
processes are running. Look for an "init" process other than that found at
PID1 using "ps -ax".


3) Changes were made to "/etc/rc.d/rc.sysinit" to add the text
"/usr/sbin/cronlogd" at the end which launches a process
called "cronlogd", purpose unknown.

Advice: Check the "/etc/rc.d/rc.sysinit" file has not been tampered with and
what processes are running using "ps -ax".


4) Changes were made to the file "inetd.conf" and also to the file
"inetd.conf.noqpopper", both found in the "/etc" directory. A new line
reading "4512 stream tcp nowait root /bin/sh sh -i" was added to both files
which opens port 4512.

Advice: check what ports you have open using

netstat -ap | grep "*:*"

Check both of the above files have not been tampered with.


5) We have a suspect small text file called "la.pid" in both "root" dir and
"/usr/sbin" dir. Web security pages suggest this could be an indicator of
whether malicious code has been properly installed or not. It is not found
on a good machine.

Advice: Try a "locate la.pid" from the command line. Any advice or updates
on this file or the other malicious files or processes is welcome.

SC

Follow-Ups:
- Re: [cobalt-security] February Hack update
  - From: Gossi The Dog

References:
- RE: [cobalt-security] RE: [cobalt-users] Cobalt to provide compensation for server hack?
  - From: Tony

Prev by Date: Re: [cobalt-security] Qube 3 and VPN...
Next by Date: [cobalt-security] Re: [cobalt-users] BIND & ProFTPD
Previous by thread: RE: [cobalt-security] RE: [cobalt-users] Cobalt to provide compensation for server hack?
Next by thread: Re: [cobalt-security] February Hack update

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index