[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] raq3 no admin interface

Subject: Re: [cobalt-security] raq3 no admin interface
From: Bill Irwin <bill_irwin@xxxxxxxx>
Date: Thu, 28 Jun 2001 18:02:00 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Gerald Young wrote:
> 
> Hello,
>         Can anyone help, We have a RAQ3 and some services mysteriously stopped.
> 
> ftp and telnet are not running and the admin interface is partly disabled ie
> the services interface, we can check statistics etc but everything else is
> giving an illegal error??
> when rebooting it still is not running telnet and ftp.
> 
> How can we reactivate say at least telnet?
> many thanks from New Zealand
> 
> --  Gerald Young
> www.coolcat.net  www.coolcoach.net - THE HOTTEST WAY TO LEARN -
> -------------------------------------------------------------
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

Gerald,

This is usually an indication that something has been changed. You can
try to log into the server via serial console to see if you can figure
out what is going on.

If you gain access, run these tests to determine if you have been
hacked.

Although it is not 100% accurate, one can be reasonably sure that the
server has been hacked if any of the following produces output:
      rpm -V procps
      rpm -V fileutils
      rpm -V net-tools
      rpm -V util-linux

      NOTE: util-linux will complain about:
      S.5....T c /etc/pam.d/chfn
      S.5....T c /etc/pam.d/chsh
      S.5....T c /etc/pam.d/login
      .M...... /usr/bin/newgrp
      .M...... /usr/bin/write
      These are OK...they should not be different, but they DO NOT show
that you have been hacked.

      Also, grep /var/log/messages for the string nslookupComplain()

      That is the bind vulnerability itself.

      Another item to look for is file attributes.
      look in the /usr/bin; /usr/sbin dirs. 
      " lsattr * /usr/bin"
      " lsattr * /usr/sbin"

      If you get "----i--- " for many files, you've been had. This
causes updates to fail with permissions errors in the cobalt log files.
      ( /var/cobalt/adm.log on an R4 )

      " echo $TERM " will give back dumb...or something else other than
xterm

Please note, these tests only work correctly on non-mips processor
servers. (You can tell if its mips on telnet login). There was some
confusion about this when I posted this test before.

We have also determined this to happen when the /var directory has been
"wedged". This comes from too much disk space taken by log files.
Usually an indication that the log rotation is failing. Make sure your
server is updated with all the patches. If you don't have them all this
could be the reason its happening. If you cannot access the server at
all, contact technical support.

-- 
Bill Irwin
Technical Support Engineer
Sun Microsystems, Inc.

Follow-Ups:
- Re: [cobalt-security] raq3 no admin interface
  - From: David Yates Buckley

References:
- [cobalt-security] raq3 no admin interface
  - From: Gerald Young

Prev by Date: Re: [cobalt-security] It's nice
Next by Date: Re: [cobalt-security] raq3 no admin interface
Previous by thread: [cobalt-security] raq3 no admin interface
Next by thread: Re: [cobalt-security] raq3 no admin interface

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index