[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] RaQ2 Hacked within 1 day of being online
- Subject: [cobalt-security] RaQ2 Hacked within 1 day of being online
- From: "Patrick Agee" <pagee@xxxxxxxxxxxxxx>
- Date: Fri, 24 Aug 2001 19:50:37 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I had a RaQ1 that was hacked, we believe they got in before the ftp patch
was applied in March 01. No big deal a few sites taken offline for a few
days while software was reloaded. Except this time updated it as a RaQ1
running RaQ2 software and applied all the patches available from cobalt for
a RaQ2 in the order that they are listed, even the one that is out of order
but refers to RaQ1 hardware using RaQ2 software. Got it all in there. Ok
now thought it was fine to be put back on the network. Plugged back in, all
sites uploaded and back in use. They this morning somehow they managed to
get in through I believe Telnet as I have looked through the logs and found
several entries where access was denied for authentication error. Then I
have the following files which have been placed into the /bin directory.
They include sc, ssc, s, hk, ps, and netstat. He has also set the "ps" file
to be run every 15 minutes. I guess the only good thing this smart idiot
doesn't know is that this is a mips machine, not an Intel as none of these
files are executable as I keep being reminded by the Cron Daemon every 15
minutes that cannot execute binary file.
Any ideas on how they got in and better yet on how to keep them out?
Last time they got in they corrupted the startup of the machine and when I
got the email from the cron daemon, that the cron daemon was down, to
reboot the server it locked up and necessitated reloading. I am getting the
message now along with several others, but all is currently working and I'm
afraid to restart it for fear of it locking again.
Patrick Agee
pagee@xxxxxxxxxxxxxx