[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] hacked raq3
- Subject: Re: [cobalt-security] hacked raq3
- From: Kevan Benson <kentrak@xxxxxxxxx>
- Date: Tue, 13 Mar 2001 17:14:07 -0800
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I can't really tell you what processes should be running, because that
depends on your services, but I can give you a somewhat good walkthrough for
finding problems.
As a start I would advise you run "ps -auxwww" on the server and check what
programs it says are running, and try to account for them all. If you don't
know what something does, look at the man page or do a google search. Next,
run "netstat -plven" AS ROOT. That will tell you what programs are listening
on what ports, and their PIDs. After that telnet to those ports and see if
they respond with what they should (for example, try telnetting to a host
with FTP on port 21, they usually respond saying the FTP server type and
version). A good port scanner for linux is nmap, get it at freshmeat.net.
Another good scanner system checker is nessus, get it at the same place.
These are both linux tools, I don't know their equivalent in windows or mac.
If you don't have access to the shell, and can't get it, you need to (or have
someone) reboot the machine, and boot to single user mode, which can be done
through extra parameters on bootup. Mail if you need that.
Sorry if this doesn't apply to you too much, but I figure the more info out
there for people, the better.
-KB
On Tuesday 13 March 2001 15:28, you wrote:
> Hi, and please help me
>
> Our raq3 was hacked (mars 11-12) and files and programs where deleted
> and/or permissions where changed on some files. I do not have the full view
> on all the hacked files or how it happened. A server in the us kept sending
> big packages to our raq for several hours until our network supplier cut
> theirs IP range off (see atch1). I do think they started their own telnet
> (telnetd) and ftp (data-ftp) programs. One of the users they created was
> 42:
>
> drwxr-xr-x 3 42 42 1024 Jun 20 2000 apache (atch 2)
>
> If it can give a clue, I can tell that sendmail is giving a error in admin-
> web interface that says it?s not running but mails get delivered an it
> looks ok. I also restarted the server in the admin console but the
> admin-console says the server has been running for over 14 days. I tried to
> disconnect the telnet server but even myself where still using telnet after
> it was turned off.
>
> Anybody who can help me with names on processes that normally should not
> run, and commands I can use to get port, user and other info, useful when I
> think there is something going wrong in the cobalt. (I am a newbi).
>
> I am grateful to all tips regarding this hack and how to trace things in
> the future. Take a look at the logs and info at the end of the mail.
>
> regards
>
> Kai R Schantz
> Euroweb AS
> Verksgaten 42
> N-4013 Stavanger
> Norway
> Tlf:+47 51 89 64 64 fax:+47 51 89 56 41
> www.euroweb.no
>
>
>
> hotellet-gw#sh ip accounting
> Source Destination Packets Bytes
> 213.142.74.118 212.37.252.106 2 86
> 192.36.148.17 212.37.252.106 1 120
> 62.66.242.228 212.37.252.106 1 40
> 170.140.161.237 212.37.252.106 592 33152
> XXXXXX
> 170.140.161.238 212.37.252.106 592 33152
> XXXXXX
> 194.29.203.100 212.37.252.106 13 1019
> 152.163.132.250 212.37.252.106 1 56
> 195.204.132.202 212.37.252.106 16 728
> 170.140.43.64 212.37.252.106 18 720
> XXXXXXX
> 152.163.159.232 212.37.252.106 1 157
> 212.33.133.33 212.37.252.106 2 309
> 129.240.64.2 212.37.252.106 1 165
> 205.188.157.232 212.37.252.106 1 182
> 170.140.102.64 212.37.252.106 38315 1532600
> XXXXXX
> 130.67.15.194 212.37.252.106 1 62
> 193.156.90.14 212.37.252.106 2 112
> 130.67.61.34 213.236.138.20 1 56
> 209.15.2.61 212.37.252.106 2 84
> 195.204.218.58 212.37.252.106 336 31100
> x? 130.67.81.122 212.37.252.106 39 1560
> 192.36.144.133 212.37.252.106 2 454
> 170.140.164.127 212.37.252.106 734 29360
> XXXXXX
> Source Destination Packets Bytes
> 62.1.254.14 212.37.252.106 1 40
> 216.35.103.81 212.37.252.106 13 894
> 209.202.148.41 212.37.252.106 5 561
> 130.67.231.136 212.37.252.106 102 8820
> 128.39.2.9 212.37.252.106 6 401
> 170.140.48.191 212.37.252.106 23718 948720
> XXXXXX
> 213.236.138.2 212.37.252.106 1 170
> 212.37.252.106 213.236.138.2 1 70
> 148.122.161.49 213.236.138.20 11 2959
> 216.35.112.51 212.37.252.106 10 783
> 193.215.2.145 212.37.252.106 71 10178
> XXXXXXX
> 152.163.225.90 212.37.252.106 2 116
> 62.191.152.149 212.37.252.106 8 367
> 152.163.225.69 212.37.252.106 11 1730
>
> Accounting data age is 0
>
> WHOIS:
> IP block lookup for 170.140.102.64
> whois -h whois.arin.net 170.140.102.64
>
> Emory University (NET-EMORY2)
> Atlanta GA, 30322
> US
>
> Netname: EMORY2
> Netblock: 170.140.0.0 - 170.140.255.255
>
> Coordinator:
> Petersen, Paul (PP1526-ARIN) ppeters@xxxxxxxxx
> (404) 727-7686 (FAX) (404) 727-2599
>
>
>
> (atch 2)
>
> -rw-rw-rw- 1 root root 9300 Mar 11 20:07 chili-psm
> -rw-r--r-- 1 root root 1776311 Mar 11 04:11 access.1.gz
>
> drwxr-xr-x 16 root root 1024 Mar 12 14:15 .
> drwxr-xr-x 16 root root 1024 Mar 12 12:34 ..
> drwxr-xr-x 3 42 42 1024 Jun 20 2000 apache
> drwxr-xr-x 17 root root 1024 Jan 18 08:03 chiliasp
> drwxr-xr-x 9 root root 1024 Dec 19 19:28 cmu
> drwxr-xr-x 3 root root 1024 Jan 6 2000 httpd
> drwxr-xr-x 3 root root 1024 Jan 6 2000 log
> drwxr-xr-x 2 root root 12288 Jan 6 2000 lost+found
> drwxr-xr-x 12 httpd httpd 1024 Jun 21 2000 openshop
> drwxr-xr-x 2 admin admin 1024 Feb 13 05:36 packages
> drwx------ 3 postgres postgres 1024 Feb 15 20:01 pgsql
> -rw------- 1 root root 32032 Mar 13 12:33 quota.group
> -rw------- 1 root root 32480 Mar 13 17:32 quota.user
> drwxr-xr-x 7 root root 1024 Jan 6 2000 redhat
> drwxr-xr-x 2 root nobody 1024 Jul 22 1999 samba
> drwxr-xr-x 196 root root 9216 Mar 5 12:10 sites
> -rw-rw-r-- 1 admin admin 695162297 Mar 12 14:12 sites.tar.gz
> drwxr-xr-x 4 root root 1024 Jan 6 2000 spool
> drwxrwxrwx 4 root root 1024 Mar 13 15:55 tmp
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
--
- Kevan Benson
- Colocation and Hosting Product Manager
- Sonic.net, Inc.
- (707)522-1000 x219