[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Re: RaQ1 hacked

Subject: [cobalt-security] Re: RaQ1 hacked
From: "Gareth" <garth@xxxxxxxxxxxxxxx>
Date: Mon, 27 Aug 2001 13:33:36 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

The sniffer would be my feeling as well, but isn't the p suggest a local
conenction? Maybe a console connection? If you search the web (some sites in
particular) you can find a c program that can search subclasses (remotely)
for sniffers. You might find this program useful. I tested this program on a
network where I used to work and found it worked around 95% of the time. It
made a few false accusations, but after some digging I found that the owners
of the falsely identified boxes had 'repaired' damage done by previous
hackers.
Use SSH telnet to access the machine and make sure that you use SSL httpd to
access the GUI. Try a portscan just in case your ps has been modified. If
you think there has been a hacker DO NOT USE ls TO LIST DIRECTORY STRUCTURES
too many hackers modify this to remove certain files and directories. If you
must use ls make sure it is ls -la, some hackers use directories of ...
which many admins miss. USE echo * TO LIST DIRECTORIES. I have never found a
hacker yet to modify echo successfuly.
As always turn off anything you don't need. Some versions of PHP were
hackable and allowed malicious users to move and copy and set as SUID files
on the hard disk. Check for scripts hidden around your computer. Use
chkrootkit.org to search for common attacks on your machine.

Gareth

Prev by Date: Re: [cobalt-security] Slightly off Topic- PKG files
Next by Date: Re: [cobalt-security] moving to https on gui admin
Previous by thread: Re: [cobalt-security] RaQ1 hacked
Next by thread: Re: [cobalt-security] moving to https on gui admin

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index