[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] amd root?
- Subject: Re: [cobalt-security] amd root?
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Tue, 5 Feb 2002 21:41:51 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Jeff,
> On one customer system chkrootkit is reporting "amd" and "syslogd" are
> both infected.
This could be the LRK4 rootkit - among others:
http://project.honeynet.org/challenge/results/submissions/addam/toolkit.txt
However, if so, then CHKrootkit should find and identify it correctly, if I'm
not mistaken.
Jeff, I gather you're quite experienced in regards to Cobalts.
Did you recently stumble across any RaQ3 or RaQ4 which had /etc/shadow set to
-r--------?
Just today I had the third RaQ with the same signs and indications and I've
heard about two others with the same issue.
Of the tree machines I was asked to look after two were RaQ3's, the other one
was a RaQ4.
The modifications include a loadable kernel module which prevents "root" from
modifying certain files and folders. In /etc there is the hacker executable
nscd which is launched by an entry in /etc/rc.sysinit. Removal of /etc/nscd
instantly "walls": "System is going down for reboot" to all users and a
reboot is initiated. That can of course be stopped with "/sbin/init 3".
However, the LKM and the permissions on /etc/shadown make this a tough nut to
fix. The replaced system binaries include only netstat, ps, top and ifconfig.
While trying to find out how the hackers ot in I'm kinda banging my head
against a wall, too. All machines seem to have all patches (one RaQ3 was
missing the latest Kernel patch) and all had the most recent SSH package
installed and had Telnet off.
At least the customers claim that all patches had been installed in time. If
they're telling the truth, then this could get nasty.
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer