[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] RaQFuCK
- Subject: Re: [cobalt-security] RaQFuCK
- From: "David Smulsky" <dave@xxxxxxxxxxxxxxxx>
- Date: Mon, 28 Oct 2002 14:14:46 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Turn on telnet to make sure you can get back in
Dave Smulsky
Senior Network Admin
dave@xxxxxxxxxxxxxxxx
www.thehostworks.com
----- Original Message -----
From: "MC Gonzalez" <mgonzalez@xxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Sunday, October 27, 2002 5:47 PM
Subject: Re: [cobalt-security] RaQFuCK
On Wed, 2002-10-23 at 22:45, Eugene Crosser wrote:
> On Thu, 2002-10-24 at 06:11, Scott F wrote:
>
> > Does anyone know of a fix, or if any of the recent
> > Cobalt/SUN patches addressed the RaQFuCK hack that
> > grabs access from /usr/lib/authenticate and opens a
> > shell..?
Question regarding this exploit. Does it do anything to ssh?
Background:
Bosses personal RAQ4 seems to have gotten hit with this. He asked me to
check it out. I noticed he didn't have the 15787 patch. He also didn't
have the latest and greatest ssh from pkgmaster. I installed the
pkgmaster first and now can't get in with ssh. I get the following:
Oct 27 17:09:56 www sshd[12146]: log: Connection from xxx.xxx.xxx.xxx
port 33599
Oct 27 17:09:56 www sshd[12146]: log: RhostsRsa authentication not
available for connections from unprivileged port.
Oct 27 17:10:33 www sshd[12146]: fatal: Connection closed by remote
host.
I am frankly afraid to install the 15787 patch as it requires a reboot
and I would hate to not be able to get back into this server :)
A google on this error turns up nothing helpful.
Thanks in advance!
--
Marie Gonzalez
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security