[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] hacked raq3
- Subject: [cobalt-security] hacked raq3
- From: "Kai Schantz, Euroweb" <kai@xxxxxxxxxx>
- Date: Wed, 14 Mar 2001 00:28:12 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi, and please help me
Our raq3 was hacked (mars 11-12) and files and programs where deleted and/or
permissions where changed on some files. I do not have the full view on all
the hacked files or how it happened. A server in the us kept sending big
packages to our raq for several hours until our network supplier cut theirs
IP range off (see atch1). I do think they started their own telnet (telnetd)
and ftp (data-ftp) programs. One of the users they created was 42:
drwxr-xr-x 3 42 42 1024 Jun 20 2000 apache (atch 2)
If it can give a clue, I can tell that sendmail is giving a error in admin-
web interface that says it?s not running but mails get delivered an it looks
ok. I also restarted the server in the admin console but the admin-console
says the server has been running for over 14 days. I tried to disconnect the
telnet server but even myself where still using telnet after it was turned
off.
Anybody who can help me with names on processes that normally should not
run, and commands I can use to get port, user and other info, useful when I
think there is something going wrong in the cobalt. (I am a newbi).
I am grateful to all tips regarding this hack and how to trace things in the
future. Take a look at the logs and info at the end of the mail.
regards
Kai R Schantz
Euroweb AS
Verksgaten 42
N-4013 Stavanger
Norway
Tlf:+47 51 89 64 64 fax:+47 51 89 56 41
www.euroweb.no
hotellet-gw#sh ip accounting
Source Destination Packets Bytes
213.142.74.118 212.37.252.106 2 86
192.36.148.17 212.37.252.106 1 120
62.66.242.228 212.37.252.106 1 40
170.140.161.237 212.37.252.106 592 33152
XXXXXX
170.140.161.238 212.37.252.106 592 33152
XXXXXX
194.29.203.100 212.37.252.106 13 1019
152.163.132.250 212.37.252.106 1 56
195.204.132.202 212.37.252.106 16 728
170.140.43.64 212.37.252.106 18 720
XXXXXXX
152.163.159.232 212.37.252.106 1 157
212.33.133.33 212.37.252.106 2 309
129.240.64.2 212.37.252.106 1 165
205.188.157.232 212.37.252.106 1 182
170.140.102.64 212.37.252.106 38315 1532600
XXXXXX
130.67.15.194 212.37.252.106 1 62
193.156.90.14 212.37.252.106 2 112
130.67.61.34 213.236.138.20 1 56
209.15.2.61 212.37.252.106 2 84
195.204.218.58 212.37.252.106 336 31100 x?
130.67.81.122 212.37.252.106 39 1560
192.36.144.133 212.37.252.106 2 454
170.140.164.127 212.37.252.106 734 29360
XXXXXX
Source Destination Packets Bytes
62.1.254.14 212.37.252.106 1 40
216.35.103.81 212.37.252.106 13 894
209.202.148.41 212.37.252.106 5 561
130.67.231.136 212.37.252.106 102 8820
128.39.2.9 212.37.252.106 6 401
170.140.48.191 212.37.252.106 23718 948720
XXXXXX
213.236.138.2 212.37.252.106 1 170
212.37.252.106 213.236.138.2 1 70
148.122.161.49 213.236.138.20 11 2959
216.35.112.51 212.37.252.106 10 783
193.215.2.145 212.37.252.106 71 10178
XXXXXXX
152.163.225.90 212.37.252.106 2 116
62.191.152.149 212.37.252.106 8 367
152.163.225.69 212.37.252.106 11 1730
Accounting data age is 0
WHOIS:
IP block lookup for 170.140.102.64
whois -h whois.arin.net 170.140.102.64
Emory University (NET-EMORY2)
Atlanta GA, 30322
US
Netname: EMORY2
Netblock: 170.140.0.0 - 170.140.255.255
Coordinator:
Petersen, Paul (PP1526-ARIN) ppeters@xxxxxxxxx
(404) 727-7686 (FAX) (404) 727-2599
(atch 2)
-rw-rw-rw- 1 root root 9300 Mar 11 20:07 chili-psm
-rw-r--r-- 1 root root 1776311 Mar 11 04:11 access.1.gz
drwxr-xr-x 16 root root 1024 Mar 12 14:15 .
drwxr-xr-x 16 root root 1024 Mar 12 12:34 ..
drwxr-xr-x 3 42 42 1024 Jun 20 2000 apache
drwxr-xr-x 17 root root 1024 Jan 18 08:03 chiliasp
drwxr-xr-x 9 root root 1024 Dec 19 19:28 cmu
drwxr-xr-x 3 root root 1024 Jan 6 2000 httpd
drwxr-xr-x 3 root root 1024 Jan 6 2000 log
drwxr-xr-x 2 root root 12288 Jan 6 2000 lost+found
drwxr-xr-x 12 httpd httpd 1024 Jun 21 2000 openshop
drwxr-xr-x 2 admin admin 1024 Feb 13 05:36 packages
drwx------ 3 postgres postgres 1024 Feb 15 20:01 pgsql
-rw------- 1 root root 32032 Mar 13 12:33 quota.group
-rw------- 1 root root 32480 Mar 13 17:32 quota.user
drwxr-xr-x 7 root root 1024 Jan 6 2000 redhat
drwxr-xr-x 2 root nobody 1024 Jul 22 1999 samba
drwxr-xr-x 196 root root 9216 Mar 5 12:10 sites
-rw-rw-r-- 1 admin admin 695162297 Mar 12 14:12 sites.tar.gz
drwxr-xr-x 4 root root 1024 Jan 6 2000 spool
drwxrwxrwx 4 root root 1024 Mar 13 15:55 tmp