[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] RaQ2 Hacked within 1 day of being online

Subject: Re: [cobalt-security] RaQ2 Hacked within 1 day of being online
From: "Kevin D" <kdlists@xxxxxxxxxxxxxxx>
Date: Mon, 27 Aug 2001 16:05:34 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

From: "Patrick Agee" <pagee@xxxxxxxxxxxxxx>

<snip>
> Except this time updated it as a RaQ1
> running RaQ2 software and applied all the patches available from cobalt
for
> a RaQ2 in the order that they are listed, even the one that is out of
order
> but refers to RaQ1 hardware using RaQ2 software. Got it all in there. Ok
> now thought it was fine to be put back on the network. Plugged back in,
all
> sites uploaded and back in use. They this morning somehow they managed to
> get in through I believe Telnet as I have looked through the logs and
found
> several entries where access was denied for authentication error.
>Then I
> have the following files which have been placed into the /bin directory.
> They include sc, ssc, s, hk, ps, and netstat. He has also set the "ps"
file
> to be run every 15 minutes. I guess the only good thing this smart idiot
> doesn't know is that this is a mips machine, not an Intel as none of these
> files are executable as I keep being reminded by the Cron Daemon every 15
> minutes that cannot execute binary file.
>
> Any ideas on how they got in and better yet on how to keep them out?

I doubt this hack was accomplished through any daemon exploit, as a buffer
overflow requires working shellcode. It is doubtful that the hacker would
have known to use MIPS shellcode if he didn't know to use MIPS binaries.

Maybe they are doing brute force password guessing? How many login errors do
you have? I would think there would be quite a few while using a brute force
attack. They also might be using a cobalt-specific brute force attack by
trying to guess your admin password on the GUI. You should block port 81 on
your firewall and port 23 (telnet) if none of your users need it.

Consider the possibility that this is an inside job. Could one of your
customers / employees / former employees be doing this?

> I am getting the
> message now along with several others, but all is currently working and
I'm
> afraid to restart it for fear of it locking again.

I suggest you transfer these sites to another server and work on hardening
the raq before you try it in production again. This time when you are ready
to deploy try a trial run (put it online without any customer sites on it,
and see if it gets hacked).

Kevin

Follow-Ups:
- RE: [cobalt-security] RaQ2 Hacked within 1 day of being online
  - From: Patrick Agee

References:
- [cobalt-security] RaQ2 Hacked within 1 day of being online
  - From: Patrick Agee

Prev by Date: [cobalt-security] Passwords
Next by Date: RE: [cobalt-security] RaQ2 Hacked within 1 day of being online
Previous by thread: [cobalt-security] RaQ2 Hacked within 1 day of being online
Next by thread: RE: [cobalt-security] RaQ2 Hacked within 1 day of being online

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index