[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] RaQ3 Hacked

Subject: RE: [cobalt-security] RaQ3 Hacked
From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
Date: Mon, 20 Aug 2001 18:15:21 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

"Anonymous out of necessity" (rather misguidedly since no cracker worth
their salt would be reading this group to find RaQs. That takes brainpower.
Automated scanning systems are far easier to run, they work while you're
asleep) wrote:

> Lemme start by saying I am pretty upset with Sun right now. 
> The blackhat used a bind exploit to gain shell access and
> then used the vixie crontab exploit to get root, then they
> installed t0rn. Greeaaattt!

Nice. How do you know they used that cron exploit to get root? And how do
you know they got in via BIND in the first place? This must be a pretty poor
crack to have left two telltales lying around...

> And yes I had the vixie-cron 4.02 patch applied.

So then it's doubtful that the hole in the original 'crontab' binary was
used, n'est ce pas?
When did this crack actually happen? I've seen evidence of occasional
machines passed to me by friends recently which were cracked as far back as
February and *still* haven't been fixed.

> How dang long is it going to take Sun/Cobalt to release a 
> package to update bind. 

* Security: BIND Update 4.0.1 
* HTTP RaQ3-All-Security-4.0.2-9353.pkg Posted: February 6, 2001 

So that'll have been, let's see now, about six months ago. Wakey wakey, eyes
open.

> I am seriously considering dumping this dang RaQ in 
> favor of a box I can keep up to date without breaking the
> friggin GUI.

OK, I gotta go with you on that one. Having said that it's not too difficult
to keep up-to-date with things which don't "break the GUI", BIND being one
of them. A number of list members reported updating by hand to BIND-8.2.3
well before Cobalt released the .pkg file to it. It really wasn't difficult.

> I had all patches applied. Portsentry. Tripwire. All the 
> essentials. Except the latest bind of course.

In that case, your 'all the latest patches' is rendered rather null and
void. Unless of course you mean BIND 8.2.4 or even BIND 9; however 8.2.4
contained no security fixes - it was a bugfix release. And since BIND 9
fundamentally changes the operation and configuration of the nameserver, and
8.2.x is still supported, I guess Cobalt - like a lot of us - have decided
to stay out of the v9.x stream until it's necessary to jump that way.

I assume that Tripwire caught your misbehaving interloper; in which case
that's a good thing. Portsentry however is less than useful if someone
determined comes along and knows there's a hole in a well-known service like
your DNS since you can't really go blocking access to that. If they scan you
first, fine - but that ain't necessary...

> Anyone want to offer any pointers to securing a RaQ3,
> Anonymous out of necessity.

And using Hotmail - The World's Most Secure Email Service (Not) [TM] - is
really going to engender confidence here, isn't it?

Graeme
-- 
Graeme Fowler
System Administrator
Host Europe Group PLC

Follow-Ups:
- Security?? (Was: Re: [cobalt-security] RaQ3 Hacked)
  - From: Jeff Lasman

Prev by Date: Re: [cobalt-security] A 'Hack' attempt?
Next by Date: Re: [cobalt-security] SSH Tunneling - Cheap client to use?
Previous by thread: Re: [cobalt-security] RaQ3 Hacked
Next by thread: Security?? (Was: Re: [cobalt-security] RaQ3 Hacked)

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index