[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] RaQ3 Hacked - Information Gathered (Administrator)

Subject: [cobalt-security] RaQ3 Hacked - Information Gathered (Administrator)
From: Kevin Verma <kevin@xxxxxxxxxxxxxxxxx>
Date: Tue, 13 Mar 2001 10:42:22 +0530
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

cobalt-security-request@xxxxxxxxxxxxxxx wrote:

> Send cobalt-security mailing list submissions to
>         cobalt-security@xxxxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://list.cobalt.com/mailman/listinfo/cobalt-security
> or, via email, send a message with subject or body 'help' to
>         cobalt-security-request@xxxxxxxxxxxxxxx
>
> You can reach the person managing the list at
>         cobalt-security-admin@xxxxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cobalt-security digest..."
>
> Today's Topics:
>
>    1. RE: zcat stdout??? (Jose Luis Aguilar)
>    2. Re: RE: 'On my Soap Box' (Norm Duncan)
>    3. Re: What is robots.txt? (Kul)
>    4. Re: RE: 'On my Soap Box' (Marc Gear)
>    5. Re: RE: 'On my Soap Box' (Adam Sculthorpe)
>    6. Re: Security Costs (Paul Gillingwater)
>    7. RE: What is robots.txt? (Colin J. Raven)
>    8. RaQ3 Hacked - Information Gathered (Administrator)
>
> --__--__--
>
> Message: 1
> From: "Jose Luis Aguilar" <jlaguilar@xxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Subject: RE: [cobalt-security] zcat stdout???
> Date: Sun, 11 Mar 2001 16:36:08 -0400
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> This happened to our RaQ3 too after installing the vixie-cron Update 4.0.1
>
> -----Original Message-----
> From: cobalt-security-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Robbert
> Hamburg
> Sent: Sunday, March 11, 2001 6:07 AM
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: [cobalt-security] zcat stdout???
> Importance: High
>
> Hello,
>
> Today I received this on my mail it come originally from cron.weekly.
> However I'm not sure what it is and wheter it posses any security threads.
> Can you please give me some advice ???
>
> Below is what i got.
>
> Sent: Sunday, March 11, 2001 4:22 AM
> Subject: Cron <root@www> run-parts /etc/cron.weekly
>
> zcat: stdout: Broken pipe
>
> zcat: stdout: Broken pipe
>
> zcat: stdout: Broken pipe
>
> zcat: stdout: Broken pipe
>
> zcat: stdout: Broken pipe
>
> zcat: stdout: Broken pipe
>
> zcat: stdout: Broken pipe
>
> zcat: stdout: Broken pipe
>
> zcat: stdout: Broken pipe
>
> zcat: stdout: Broken pipe
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
> --__--__--
>
> Message: 2
> Date: Sun, 11 Mar 2001 13:47:26 -0800
> From: "Norm Duncan" <norm@xxxxxxxxxxxxxxx>
> To: cobalt-security@xxxxxxxxxxxxxxx, cobalt-security@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-security] RE: 'On my Soap Box'
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> Please add me to the list of RAQ owners who are finding out that the buying of the box and initial setup is the easy part. After having my RAQ3 hacked twice in 11 months, I need help. Need to re-install OS on the 3 and and add some better protection to my RAQ4r as needed. Is there a wizard out there who is available for such work? I have neither the knowledge nor the time.
> Norm D
>
> *********** REPLY SEPARATOR  ***********
>
> On 3/6/2001 at 9:00 PM John Bailey wrote:
>
> >On Tue, 6 Mar 2001, Mark Anderson wrote:
> >
> >> Infact the opposite is true - there is such
> >> a wealth of information available that admins have no excuse
> >> for having bad security. To be a good hacker/cracker (choose
> >> your media buzzword)
> >
> >There is a difference between the widely accepted definition of 'hacker'
> >and that of 'cracker', you know.
> >
> >> the attacker has to have a level of skill
> >> and knowledge that exceeds that of the admin.
> >
> >There are other issues to take into account though.  For example, after
> >the bind problems came to light, it took Cobalt 3(?) days to get upgraded
> >.pkg files out (please note I'm not having a go at Cobalt here).  During
> >those three days, many RaQs and Qubes all over the net remained
> >vulnerable.  More knowledgable(?) admins had compiled their own
> >replacements the minute they heard about the problem, but many admins
> >don't know how to wield a "./configure ; make install".  I think that this
> >problem is more widespread on Cobalt machines, as they're sold on a 'you
> >can administer it all though this web interface' basis.  I know of a lot
> >of people who got a harsh lesson in reality during those days, either by
> >getting their machines compromised, or by being forced to learn admin
> >tasks they hadn't originally thought they'd need.
> >
> >> An attacker sees the same mail on Bugtraq and tries it on a few
> >> machines to see what he can get with a little effort. Not only
> >> is it likely that the exploit code will have been gutted and
> >> cease to actually work, but the attacker would need an equal
> >> skill level as the original coder to fix it.
> >
> >I'd say that that depends on how badly the code's been gutted ... but
> >aside from that,  I don't think that most script kiddies are in the habbit
> >of collecting code from bugtraq.  They let someone else do the hardwork
> >(be it writing the exploit or correcting kludged code) then they just
> >point and root.
> >
> >> What I'm trying to point out is that protecting a server is
> >> fall-off-my-chair-laughing easy. However to be a remotely good
> >> attacker, it takes time, skill, intellect and a few drops of
> >> luck.
> >
> >I take issue with that point in it's entirity.  For a start, not all bugs
> >get posted to BugTraq straight away .. how can you patch against bugs
> >you're unaware of ?  Even given that you know that a vulnerability exists
> >and needs patching, it's only easy to you because you're familiar with
> >linux.  As I think everyone on this list should be painfully aware, it
> >can take no skill at all to be an effective cracker.  Kits such as Ramen,
> >which are self propogating are a case in point.
> >
> >The bottom line that is all comes down to is (and this is quoted from a
> >source I don't remember) that the admin has to be lucky all the time, the
> >cracker only once.
> >
> >To take a better known quote to finish .. "Your confidence is your
> >weakness".
> >
> >John
> >
> >_______________________________________________
> >cobalt-security mailing list
> >cobalt-security@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-security
>
> o
>
> --__--__--
>
> Message: 3
> Date: Sun, 11 Mar 2001 23:08:58 +0000
> From: Kul <WebMaster@xxxxxxx>
> Organization: Qax
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-security] What is robots.txt?
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> "Colin J. Raven" wrote:
>
> > On Thu, 8 Mar 2001, Siao Yuan Tan wrote:
> > > Inside my Cobalt RaQ4r, i found this file robots.txt in /usr/admserv/html/
> > > folder with the following content:
> > >
> > > # Prevent all robots from visiting this site:
> > >
> > > User-agent: *
> > > Disallow: /
> > >
> > > I come to know this file from the webalizer report because this file seem to
> > > have a number of hits to it.  Anyone know what is this file doing in my
> > > server?
>
> >
> > It's there to prevent spiders from roving through (and reporting on) your
> > admin pages. .....<snip>
>
> Can I suggest it this is not in fact the case !  - meant nicely :)
> It is really there to ***ASK*** robots / spiders not to perform the search (or used in a normal context, to request limits as to what gets searched  i.e. "Disallow /images" is a common example).
> "Rude" robots will not even bother looking at the file <g>
>
> I know its only symatics, but it is important for all to realise that this method will "NOT" stop nosey robots !
> --
> Regards,
> Kul
>
> --__--__--
>
> Message: 4
> From: "Marc Gear" <marcg@xxxxxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Subject: Re: [cobalt-security] RE: 'On my Soap Box'
> Date: Sun, 11 Mar 2001 21:30:58 -0000
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> > Please add me to the list of RAQ owners who are finding out that the
> buying of the box and initial setup is the easy part. After having my RAQ3
> hacked twice in 11 months, I need help. Need to re-install OS on the 3 and
> and add some better protection to my RAQ4r as needed. Is there a wizard out
> there who is available for such work? I have neither the knowledge nor the
> time.
> > Norm D
>
> Security consultants cost the earth, and this mailing list is not a
> recruitment agency for them anyway. You are far better learning to, and
> doing it yourself.
>
> The (free) advice I will give you is to learn how to do it youself, as it
> will cost you less money (and time) in the long run. Else, look elsewhere to
> employ people to do it for you. Follow all the links below, and you are
> going to be getting drastically more secure than the default cobalt install.
>
> http://www.cobalt.com/support/download/raq3
> http://www.cobalt.com/support/download/raq4
> http://www.enteract.com/~lspitz/linux.html
> http://www.openssl.org
> http://www.openssh.com
> http://www.insecure.org/nmap
> http://www.chkrootkit.org/
> http://www.tripwire.org/
> http://www.psionic.com/abacus/portsentry/
> http://www.psionic.com/abacus/logcheck/
> http://www.bastille-linux.org
>
> And if you manage all that then you are halfway towards making a halfway
> secure server.
> (that list is a lot longer than I intended... I guess there is maybe a lot
> more to this security lark than people think and to think I left out tons of
> links...)
> --
> /\/\ a R (
>
> --__--__--
>
> Message: 5
> Date: Mon, 12 Mar 2001 00:55:17 +0000
> From: "Adam Sculthorpe" <sculthorpe@xxxxxxxxxxxxx>
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-security] RE: 'On my Soap Box'
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> Norm's point was he didn't have the 'time' or 'knowledge' and sometimes this is hard to
> change when you have a business to run or other aspects to concentrate on, I would
> suggest you contact Internet Security Systems at http://www.iss.net/ if you have the
> money to pay for a solution.
>
> Also 'expensive' is a matter of numbers, if you stand to lose all of your clients due to
> a hack then I would argue differently. If the amount you stand to lose is significant
> then I would suggest budgeting for security is a good thing.
>
> Do the numbers and find the right level of solution !
>
> Regards,
>
> Adam Sculthorpe
>
> Internet Security Consultant
>
> *********** REPLY SEPARATOR  ***********
>
> On 11/03/2001 at 21:30 Marc Gear wrote:
>
> >> Please add me to the list of RAQ owners who are finding out that the
> >buying of the box and initial setup is the easy part. After having my RAQ3
> >hacked twice in 11 months, I need help. Need to re-install OS on the 3 and
> >and add some better protection to my RAQ4r as needed. Is there a wizard out
> >there who is available for such work? I have neither the knowledge nor the
> >time.
> >> Norm D
> >
> >Security consultants cost the earth, and this mailing list is not a
> >recruitment agency for them anyway. You are far better learning to, and
> >doing it yourself.
> >
> >The (free) advice I will give you is to learn how to do it youself, as it
> >will cost you less money (and time) in the long run. Else, look elsewhere
> >to
> >employ people to do it for you. Follow all the links below, and you are
> >going to be getting drastically more secure than the default cobalt
> >install.
> >
> >http://www.cobalt.com/support/download/raq3
> >http://www.cobalt.com/support/download/raq4
> >http://www.enteract.com/~lspitz/linux.html
> >http://www.openssl.org
> >http://www.openssh.com
> >http://www.insecure.org/nmap
> >http://www.chkrootkit.org/
> >http://www.tripwire.org/
> >http://www.psionic.com/abacus/portsentry/
> >http://www.psionic.com/abacus/logcheck/
> >http://www.bastille-linux.org
> >
> >And if you manage all that then you are halfway towards making a halfway
> >secure server.
> >(that list is a lot longer than I intended... I guess there is maybe a lot
> >more to this security lark than people think and to think I left out tons
> >of
> >links...)
> >--
> >/\/\ a R (
> >
> >
> >
> >
> >
> >
> >_______________________________________________
> >cobalt-security mailing list
> >cobalt-security@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-security
>
> --__--__--
>
> Message: 6
> Date: Mon, 12 Mar 2001 06:44:33 -0000
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Subject: Re: [cobalt-security] Security Costs
> From: "Paul Gillingwater" <paul@xxxxxxxxxxx>
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> Marc Gear <marcg@xxxxxxxxxxxxxx> said:
> > Security consultants cost the earth, and this mailing list is not a
> > recruitment agency for them anyway. You are far better learning to, and
> > doing it yourself.
>
> I agree, this list is not the best place to do this.  However, maybe Cobalt
> could maintain a list of such Security consultants who have Cobalt
> experience, so you could find them on the Web site.  With competition, you
> might find a consultant you could afford.
>
> In general, it's an economic question.  How much can your business afford to
> lose, if your site is hacked and all data is lost?  Of course, backups can
> reduce some of the damage, but what about the downtime and loss of confidence
> from your customers?  The best business model I have seen is "Active
> Insurance", where some companies offer an insurance policy (fixed monthly
> payment) and in return, they patch your site for you and guarantee to fix it
> for free if you are hacked.
> --
> *********************************
>         Paul Gillingwater
>         Managing Director
>  CSO Lanifex Unternehmensberatung
>  & Softwareentwicklung G.m.b.H.
>       NEW BUSINESS CONCEPTS
>
> E-mail:  paul@xxxxxxxxxxx
> Telnum:  +43/1/21 98 222
> Mobile:  +43/699/1922 3085
> Webhome: http://www.lanifex.com
> Address: Praterstrasse 60/1/2
>          A-1020 Vienna, Austria
> *********************************
>
> --__--__--
>
> Message: 7
> From: "Colin J. Raven" <cjraven@xxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Subject: RE: [cobalt-security] What is robots.txt?
> Date: Mon, 12 Mar 2001 08:50:46 -0500
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> >"Colin J. Raven" wrote:
> >
> >> On Thu, 8 Mar 2001, Siao Yuan Tan wrote:
> >> > Inside my Cobalt RaQ4r, i found this file robots.txt in
> >/usr/admserv/html/
> >> > folder with the following content:
> >> >
> >> > # Prevent all robots from visiting this site:
> >> >
> >> > User-agent: *
> >> > Disallow: /
> >> >
> >> > I come to know this file from the webalizer report because
> >this file seem to
> >> > have a number of hits to it.  Anyone know what is this
> >file doing in my
> >> > server?
> >
> >>
> >> It's there to prevent spiders from roving through (and
> >reporting on) your
> >> admin pages. .....<snip>
> >
> >Can I suggest it this is not in fact the case !  - meant nicely :)
> >It is really there to ***ASK*** robots / spiders not to
> >perform the search (or used in a normal context, to request
> >limits as to what gets searched  i.e. "Disallow /images" is a
> >common example).
> >"Rude" robots will not even bother looking at the file <g>
> >
> >I know its only symatics, but it is important for all to
> >realise that this method will "NOT" stop nosey robots !
> >--
> Ah yes indeed, you are *so* correct Kul. I was semantically incorrect,
> and the correct explanation is the one you tendered above. Thank you for
> the clarification, it *is* a most important distinction.
> Regards,
> -Colin
> --
> Colin J. Raven
>
> --__--__--
>

Dear Todd S.

You can submmit the information to cert.org .
And it will be a good job if you let the world know about this. May be you can post the summary later on at linuxsecurity.com .
(pardon me if i do not know how to post in a mailling list, i hope i'll learn quick . Error ! )

Kevin

>
> Message: 8
> From: Administrator <Administrator@xxxxxxxxxxxxxx>
> To: "'cobalt-security@xxxxxxxxxxxxxxx'" <cobalt-security@xxxxxxxxxxxxxxx>
> Date: Thu, 8 Mar 2001 11:05:08 -0600
> Subject: [cobalt-security] RaQ3 Hacked - Information Gathered
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> Recently, my Raq3 was hacked. I was able to get back into the system with
> the ROM boot method. I was able to determine that the kernel, among other
> things, was modified.  Additionally, the hacker left some information behind
> that might be of interest to someone.  My question is what do I do with the
> information gathered?  Is there some sort of central authority that tracks
> this information?  Does Sun / Cobalt want this information before I rebuild
> the OS?
> My apologies if I posted in the wrong list.
> -Todd S.
>
> --__--__--
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
> End of cobalt-security Digest

begin:vcard 
n:Verma;Kevin
tel;fax:+91-261-228421
tel;work:+91-261-217895 
x-mozilla-html:TRUE
org:Venus Infotech Private Limited;Technical Department
version:2.1
email;internet:kevin@xxxxxxxxxxxxxxxxx
title:Sysytems Administrator
adr;quoted-printable:;;116, Parle Point Place, Parle Point, Athwalines=0D=0A;Surat;Gujrat;395007;INDIA
x-mozilla-cpt:;0
fn:Kevin Verma
end:vcard

Follow-Ups:
- Re: [cobalt-security] RaQ3 Hacked - Information Gathered (Administrator)
  - From: storage@xxxxxxxxxxxxx

Prev by Date: Re: [cobalt-security] RaQ3 Hacked - Information Gathered
Next by Date: [cobalt-security] How to Post (Was: Re: RaQ3 Hacked - Information Gathered (Administrator))
Previous by thread: RE: [cobalt-security] zcat stdout???
Next by thread: Re: [cobalt-security] RaQ3 Hacked - Information Gathered (Administrator)

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index