RE: [cobalt-security] Re: [cobalt-users] ssh on port 44658???

[Graeme Fowler <Graeme.F@xxxxxxxxxxxxxxx>]

Hi there

Åke Brännström wrote:
> If your RaQ4 have been hacked, as seems likely, my 
> recommendation is that you immediately make a safe copy
> of all important data and then reinstall the operating
> system from scratch, install all patches and disable all
> services that you do not need. If you merely disable nscd,
> there is a risk that the hackers will find out that you're
> on to them and wipe your entire disk or something equally
> nasty. 

IMO that's highly unlikely; in my experience of these things (sadly I have
accumulated a lot in recent months, especially where RaQs are concerned)
they will simply move on elsewhere - which is usually (in IP terms anyway)
likely to be one of your immediate neighbours. If they haven't cracked that
one already.

In most cases disabling the backdoor efficiently prevents further
unauthorised access - providing you disable all the backdoors!

It *is* possible to recover from a crack like this without rebuilding, but
it needs a certain amount of knowledge of what to look for. The latest thing
I have seen is rootkits hiding trojans inside the tcpwrappers package which
inetd uses - and that's damned clever...

Still, all the usual advice applies: keep up-to-date, disable unused
services, use secure connection methods where available yadda yadda yadda.

Graeme