[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] FTP exploits

Subject: Re: [cobalt-security] FTP exploits
From: Bill Irwin <bill_irwin@xxxxxxxx>
Date: Thu, 19 Apr 2001 09:42:20 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi all,

I can't stress enough to everyone the importance of properly
disinfecting a machine after a system attack. 

I've just gone through with another customer who restored his machine
only to be hacked again right away. Even after he applied the patches
for the vulnerabilities.

Please be aware that restoring a RaQ or Qube back on the network
immediately after restoration and BEFORE patching is a BAD idea. We have
seen and documented numerous cases where the machine was infected within
minutes of being put back on the network. In most cases the infection
comes from another RaQ machine the customer has on their network. Here's
a copy of the recommendations we give customers regarding intrusions and
system "roots".

--
In this situation, the only recommendation we can make is to obtain &
use an OS Restore CD to return the machine to the state it was in when
new. Additionally, we explicitly recommend against making any backups at
this point, as there is no way of knowing where any back doors that may
have been left behind are hidden. If they were to remain, the intruder
could use them to regain access to your server at some point in the
future.

We suggest the following:
1: Take the affected machines off the Internet/network.
2: Use an OS Restore CD to return machine to the condition it was in
when new.
   The OS Restore CD can be obtained at: http://shop.cobalt.com , in the
   "software" product category.
3: Obtain and install all of the updates for your machine from our
update site, located at:
http://www.cobalt.com/support/download/index.html Please be aware that
you may need to look in the "Download Archive" section for some of the
older updates. Be sure that you apply the updates in the proper order.
Please note that if the server's connection to the internet is restored
prior to all of the updates being installed, there is a high likelyhood
that the server will immediatly become compromised again. We have seen
this happen a number of times.

Only at this point would you want to restore the server's network
connection, and begin rebuilding the user's data.(DO NOT USE BACKUPS TO
RESTORE USER DATA AS IT MAY BE INFECTED!!)

As a precaution, plan for being hacked. Make sensible backup plans,
advise your customers to have backups of their work locally so they can
restore their clean copy if you should ever get hacked again, and
regularly check our updates page for patches which resolve
vulnerabilities. We post patches for security issues as soon as we find
out about them.
--


-- 
Bill Irwin

Follow-Ups:
- Re: [cobalt-security] FTP exploits
  - From: Bruno Schneuwly

References:
- RE: [cobalt-security] FTP exploits
  - From: typus

Prev by Date: RE: [cobalt-security] Re: [cobalt-users] ssh on port 44658???
Next by Date: Re: [cobalt-security] FTP exploits
Previous by thread: RE: [cobalt-security] FTP exploits
Next by thread: Re: [cobalt-security] FTP exploits

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index