[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] root kitted :(
- Subject: Re: [cobalt-security] root kitted :(
- From: "Roy A. Urick" <roy.urick@xxxxxxxxxxxxxxxx>
- Date: Sun, 2 Dec 2001 18:19:39 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I think what he was requesting was file sizes, dates and checksums of known
good files to compare to his? Or even known "safe" files to just copy over
the top of his.
Thats how I read it.
----- Original Message -----
From: "Taco Scargo" <taco.scargo@xxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Sunday, December 02, 2001 5:21 PM
Subject: Re: [cobalt-security] root kitted :(
> What you asked for is unchanges programs. By installing the RPMS (again)
you
> restore the original versions. That's what you wanted, didn't you ?
>
> Anyway, if I were you, I'd store my data somewhere safe and restore the
box.
>
> Taco
> ----- Original Message -----
> From: "Christopher Lange" <lists@xxxxxxxxxxxxxxxxxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Sent: Sunday, December 02, 2001 22:09
> Subject: Re: [cobalt-security] root kitted :(
>
>
> > Taco,
> >
> > By reinstalling these RPMS' from the ftp site, would we need to
reinstall
> > any packages such as the kernel package that was distributed?
> >
> > --
> > Christopher Lange
> >
> > ----- Original Message -----
> > From: "Taco Scargo" <taco.scargo@xxxxxxx>
> > To: <cobalt-security@xxxxxxxxxxxxxxx>
> > Sent: Saturday, December 01, 2001 2:18 PM
> > Subject: Re: [cobalt-security] root kitted :(
> >
> >
> > Get the rpms and install them with rpm -U --force from
> > ftp.cobaltnet.com/pub/products/raq4/RPMS
> > See what rpm you need with rpm -qif /path/to/file
> >
> > With regards,
> >
> > Taco Scargo
> > Professional Services Manager, EMEA
> >
> > Sun Microsystems
> > Sun Cobalt Server Appliances
> > ----- Original Message -----
> > From: "Mike Jeffers" <mjeffers@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
> > To: <cobalt-security@xxxxxxxxxxxxxxx>
> > Sent: Saturday, December 01, 2001 5:41
> > Subject: [cobalt-security] root kitted :(
> >
> >
> > > I have reason to believe that I am a victim of a root kit and have
false
> > > copies of the following binaries:
> > >
> > > w
> > > ps
> > > ls
> > >
> > > I have since thrown up a few ipchains rules as a temporary stop gap,
but
> > > would like to further investigate the perpetrator's kit before I
format
> > > and restore. Without having good copies of these files, finding where
> > > on my file system he dropped off his kit is like looking for a needle
> > > in a hay stack.
> > >
> > > I'm looking to get known good copies of these binaries, could anyone
> lend
> > > a hand and get me good copies? (I'm on a RaQ4, BTW)
> > >
> > > Many thanks in advance,
> > >
> > > -Mike
> > >
> > > _______________________________________________
> > > cobalt-security mailing list
> > > cobalt-security@xxxxxxxxxxxxxxx
> > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > >
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>