[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] RAQ3 & RAQ4 Hacked...

"Ben Koshy" <ben@xxxxxxxxxxx> wrote:
> I had this group called "Acid Fallz" hack 2 of my servers over the last
> few months...

Ben, I think it's AcidFalz.  I wasn't familiar with them so I did some quick
research.  See the following for other sites they've defaced and relevant
info:

http://defaced.alldas.de/?attacker=ACIDFALZ
http://defaced.alldas.org/?attacker=ACIDFALZ
http://defaced.alldas.org/?attacker=ACIDFALZ&x=stats

> they are based out of Russian and claim to only do
> defacements to prove security vunrenbilities... anyway, both servers had
> all patches applied from Cobalt.

A patched Cobalt server is still an insecure server.  Do you have an
intrusion detection system, software/hardware firewall, portscan detector,
log scanner, rootkit detector and unnecessary services shutdown for
starters?  Users with shell access?  Telnet disabled?  Enforce strong
passwords or at least check for weak passwords?  A security solution can
have a lot more to it than that, but if you don't have a good basic security
solution your server is extremely vulnerable.

> All that was done was the index.htm
> page was replaced with the hacked version and the old page moved to a
> backup file.

How do you know that's all that was done?  Because they said so?  Because
everything else seems to work and no one is complaining that your boxes are
being used in a suspicious way?  Did you check for rootkits, loadable kernel
modules and compare file checksums, sizes, dates, etc. with known good
copies using something like fcheck or tripwire?  If not, don't be so sure
that was all the hacker did.

> A couple months back they did this to one of our RAQ4s,
> and then yesterday to a RAQ3.
>
> Any idea what hack this could be? I'm at a loss...

Impossible to say.  Also, be aware that even if you have the latest Cobalt
patches applied and a good security solution in place you still need to keep
on top of the latest vulnerabilities.  For example, in the last three weeks
vulnerabilities were announced in PHP, SSH and zlib among others.  Cobalt
employees released unofficial, unsupported PKGs a few days later for PHP and
SSH, but the zlib library is used by *many* programs, at least a few of
which you are likely running.  Cobalt has not yet released upgrades of all
of their programs that use zlib and neither have the developers of several
programs which I have investigated that rely on zlib.  The point is that
security is an ongoing responsibility and doing it right requires expertise.
If you have copies of logs, bash history files or better yet a copy of the
hard drives from one of the servers which was hacked me or some other list
members can probably help you figure out how access was gained.  But if you
don't have a good security solution and unlimited time, you may be better
served on designing and implementing a good security solution.  My 2 cents.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/