[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] root kitted :(
- Subject: Re: [cobalt-security] root kitted :(
- From: Mike Jeffers <mjeffers@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 2 Dec 2001 22:46:49 -0600 (CST)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
You read it correctly... I was looking to find "safe" files to copy over
the bogus ones until I get a chance to back the data off and restore.
The RPMs provided me with fresh copies of the files I was looking for.
I'm pretty sure I've firewalled the perpetrator out, so it's now just a
matter of postmortem procedures before the restoration. I'm still not sure
what service was exploited. I *though* my box was fairly tight, minus a
good IDS and firewall solution. Which is my own fault anyway.
<shrug>
Thanks for the help gentlemen. :)
-Mike
On Sun, 2 Dec 2001, Roy A. Urick wrote:
> I think what he was requesting was file sizes, dates and checksums of known
> good files to compare to his? Or even known "safe" files to just copy over
> the top of his.
>
> Thats how I read it.
>
> ----- Original Message -----
> From: "Taco Scargo" <taco.scargo@xxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Sent: Sunday, December 02, 2001 5:21 PM
> Subject: Re: [cobalt-security] root kitted :(
>
>
> > What you asked for is unchanges programs. By installing the RPMS (again)
> you
> > restore the original versions. That's what you wanted, didn't you ?
> >
> > Anyway, if I were you, I'd store my data somewhere safe and restore the
> box.
> >
> > Taco