[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] I got Hacked, here's how I fixed it.
- Subject: Re: [cobalt-security] I got Hacked, here's how I fixed it.
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Wed, 15 Jan 2003 08:57:47 +0100
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Lance,
Good work on recovering that box and a nice write up.
Here is some additional info which might help others in the same situation:
Source for the original RPMs (easier than to fetch 'em from the OS restore
CD):
RaQ4:
ftp://ftp.cobalt.com/pub/products/raq4/RPMS/
RaQ3:
ftp://ftp.cobalt.com/pub/products/raq3/RPMS/
To reinstall "procps" (for instance) on a hacked RaQ4 one would just run the
command ...
rpm -hUv --force --nodeps \
ftp://ftp.cobalt.com/pub/products/raq4/RPMS/procps-2.0.6-5.i386.rpm
Another easy way to selectively install individual files from an RPM (and not
the whole shebang) is Midnight Commander. If mc is installed (and the RPM has
644 permissions), then you just hit return on the RPM and open it in mc.
Browse to CONTENTS.cpio and hit return again. Then you'll be able to see the
files and folders which that RPM would install.
Also, for troubleshooting a hacked box the command "lsof" is *very* useful. It
lists open files. That command is not installed on a RaQ3 or RaQ4 (and we
wouldn't trust any onboard tool on a hacked box anyway). So you can grab it
here:
rpm -hUv \
ftp://rpmfind.net/linux/redhat/6.2/en/os/i386/RedHat/RPMS/lsof-4.47-2.i386.rpm
To see which files hold a network connection or socket open (backdoors
anyone?) the command ...
/usr/sbin/lsof -n |grep LISTEN
... shows a list of all files in that category.
However, if /sbin/init have been modified and/or a kernel based rootkit is
installed, then even the output from clean commands could be filtered and
modified while they run. Fortunately most of the hacks aren't that
sophisticated.
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer