[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Raq3 Hacked

Subject: Re: [cobalt-security] Raq3 Hacked
From: "David Smulsky" <dave@xxxxxxxxxxxxxxxx>
Date: Thu, 26 Sep 2002 17:36:27 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

from the looks of it, he guessed your password, cause those commands were
harmless, but he sure did scope your system out..  check with your friends
(or enemies) they might be fooling with you, cause a real hacker wouldnt of
left that much of a stamp in your system.

Dave
----- Original Message -----
From: "e13372002" <e13372002@xxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Thursday, September 26, 2002 3:19 PM
Subject: [cobalt-security] Raq3 Hacked


> I'm sorry to send a 2nd email but the first I sent is
> "awaiting moderator approval"
> I'm posting from a yahoo account for obvious reasons
>
> Well, my raq 3 running all the latest patches, ssh
> only and no CGI (except the cobalt web-gui) was
> hacked.
>
> After a hard disk crash about a month ago, I had a
> fresh installation, and I didn't install tripwire or
> any of the other stuff I should have installed.  I
> figured because I host just a couple non-profits,
> local bands and clubs, it didn't really need to be
> ultra-secure.  I figured wrong.
>
> The machine crashed lastnight/this morning.
>
> When rebooted, I could not get my personal email
> because of a "corrupted mail drop" so I logged into
> the machine using that user account and could not use
> the "ls" command in that home directory because of
> permissions changes. Also, pine could not read my
> mail, but "mail" could.
>
> So I logged into the admin account and saw this:
>
> Last login: Wed Sep 25 16:11:00 2002 from
> mkc-65-30-68-235.kc.rr.com
>
> I did not log in yesterday and that is not one of the
> IP addresses that would be me.
>
> I did a cat .bash_history and got this:
>
> ls
> cd /tmp
> ls
> ls -lar
> netstat -a
> ls -lR
> ls -lar
> ls -larR
> cd /
> ls
> netstat
> exit
>
> I know that was not me.
>
> I've changed the root/admin passwords and am now
> looking for more evidence on the machine.
>
> Checked Passwd and couldn't find any new users.
>
> Advice?
>
> RaqHaqFaq anywhere?
>
>
>
>
>
>
> Just ran chkrootkit and got nothing:
> ROOTDIR is `/'
> Checking `amd'... not found
> Checking `basename'... not infected
> Checking `biff'... not found
> Checking `chfn'... not infected
> Checking `chsh'... not infected
> Checking `cron'... not infected
> Checking `date'... not infected
> Checking `du'... not infected
> Checking `dirname'... not infected
> Checking `echo'... not infected
> Checking `egrep'... not infected
> Checking `env'... not infected
> Checking `find'... not infected
> Checking `fingerd'... not infected
> Checking `gpm'... not found
> Checking `grep'... not infected
> Checking `hdparm'... not infected
> Checking `su'... not infected
> Checking `ifconfig'... not infected
> Checking `inetd'... not infected
> Checking `inetdconf'... not infected
> Checking `identd'... not found
> Checking `killall'... not infected
> Checking `ldsopreload'... not infected
> Checking `login'... not infected
> Checking `ls'... not infected
> Checking `lsof'... not found
> Checking `mail'... not infected
> Checking `mingetty'... not infected
> Checking `netstat'... not infected
> Checking `named'... not infected
> Checking `passwd'... not infected
> Checking `pidof'... not infected
> Checking `pop2'... not found
> Checking `pop3'... not found
> Checking `ps'... not infected
> Checking `pstree'... not infected
> Checking `rpcinfo'... not infected
> Checking `rlogind'... not infected
> Checking `rshd'... not infected
> Checking `slogin'... not infected
> Checking `sendmail'... not infected
> Checking `sshd'... not infected
> Checking `syslogd'... not infected
> Checking `tar'... not infected
> Checking `tcpd'... not infected
> Checking `top'... not infected
> Checking `telnetd'... not infected
> Checking `timed'... not found
> Checking `traceroute'... not infected
> Checking `w'... not infected
> Checking `write'... not infected
> Checking `aliens'... no suspect files
> Searching for sniffer's logs, it may take a while...
> nothing found
> Searching for HiDrootkit's default dir... nothing
> found
> Searching for t0rn's default files and dirs... nothing
> found
> Searching for t0rn's v8 defaults... nothing found
> Searching for Lion Worm default files and dirs...
> nothing found
> Searching for RSHA's default files and dir... nothing
> found
> Searching for RH-Sharpe's default files... nothing
> found
> Searching for Ambient's rootkit (ark) default files
> and dirs... nothing found
> Searching for suspicious files and dirs, it may take a
> while...
> /usr/lib/perl5/5.00503/i386-linux/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/MD5/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Quota/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Devel/Symdump/.packlist
>
> Searching for LPD Worm files and dirs... nothing found
> Searching for Ramen Worm files and dirs... nothing
> found
> Searching for Maniac files and dirs... nothing found
> Searching for RK17 files and dirs... nothing found
> Searching for Ducoci rootkit... nothing found
> Searching for Adore Worm... nothing found
> Searching for ShitC Worm... nothing found
> Searching for Omega Worm... nothing found
> Searching for Sadmind/IIS Worm... nothing found
> Searching for MonKit... nothing found
> Searching for Showtee... nothing found
> Searching for OpticKit... nothing found
> Searching for T.R.K... nothing found
> Searching for Mithra... nothing found
> Searching for OBSD rk v1... nothing found
> Searching for anomalies in shell history files...
> nothing found
> Checking `asp'... not infected
> Checking `bindshell'... not infected
> Checking `lkm'... nothing detected
> Checking `rexedcs'... not found
> Checking `sniffer'...
> eth0 is not promisc
> eth0:0 is not promisc
> eth0:1 is not promisc
> Checking `wted'... nothing deleted
> Checking `scalper'... not infected
> Checking `slapper'... not infected
> Checking `z2'...
> nothing deleted
>
>
> __________________________________________________
> Do you Yahoo!?
> New DSL Internet Access from SBC & Yahoo!
> http://sbc.yahoo.com
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

Follow-Ups:
- [cobalt-security] Another Local root exploit (interbase)
  - From: Brett Wright

References:
- [cobalt-security] Raq3 Hacked
  - From: e13372002

Prev by Date: Re: [cobalt-security] Secure Certificates
Next by Date: Re: [cobalt-security] viability of 'up2date' on an XTR?
Previous by thread: [cobalt-security] Raq3 Hacked
Next by thread: [cobalt-security] Another Local root exploit (interbase)

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index