[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] One weird HaQ... have you seen this..
- Subject: Re: [cobalt-security] One weird HaQ... have you seen this..
- From: Jeff Bilicki <jeff@xxxxxxxxxxx>
- Date: Tue, 12 Feb 2002 11:28:35 -0800
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
<3C681435.28934187@xxxxxxxxxxxxx> wrote:
> Here are the symptoms...
> from chkrootkit:
> Checking `lkm'... You have 1 process hidden for ps command
> Warning: Possible LKM Trojan installed
> And really weird... from the "locate" command...
> [root /home]# locate crypto
> /home/susr/doc/python-docs-1.5.2/Doc/libcrypto.tex
> Now we know this should be:
> [root /home]# locate crypto
> /usr/doc/python-docs-1.5.2/Doc/libcrypto.tex
> and in fact the file is where it's supposed to be.
> When we first saw this we thought we were lucky; that we'd found the
> hacker because the slocate update was running at the moment he was
> hacking, and we started looking at those files... until we realized
> locate returned something weird like this for EVERY file on the box that
> didn't already start with /home/s
> Here's the scenario...
> We restore the box. It's good.
> We restore the sites (CMU). Good.
> The next day it has the symptoms again.
> Any help/ideas/requests for consulting work <smile> greatfully
> appreciated.
Suggestions:
- When importing with CMU use the -p option so all the password will be
changed, also change the default password in /etc/cmu/cobaltBase.xml
(userPasswd).
- Disable all cgi, ssi, asp, jsp, fpx or any other scripting langauge.
- Run a sniffer detector on your network, to make sure he/she hasn't hack another
box and is using it to sniff passwords.
http://www.securiteam.com/tools/2GUQ8QAQOU.html
- Put your own sniffer on the same subnet and log all traffic to the box.
Jeff-