Re: [cobalt-security] I got Hacked, here's how I fixed it.

[Michael Stauber <cobalt@xxxxxxxxxxxxxx>]

Hi Lance,

Good work on recovering that box and a nice write up.

Here is some additional info which might help others in the same situation:

Source for the original RPMs (easier than to fetch 'em from the OS restore 
CD):

RaQ4:

ftp://ftp.cobalt.com/pub/products/raq4/RPMS/

RaQ3:

ftp://ftp.cobalt.com/pub/products/raq3/RPMS/

To reinstall "procps" (for instance) on a hacked RaQ4 one would just run the 
command ...

rpm -hUv --force --nodeps \ 
ftp://ftp.cobalt.com/pub/products/raq4/RPMS/procps-2.0.6-5.i386.rpm

Another easy way to selectively install individual files from an RPM (and not 
the whole shebang) is Midnight Commander. If mc is installed (and the RPM has 
644 permissions), then you just hit return on the RPM and open it in mc. 
Browse to CONTENTS.cpio and hit return again. Then you'll be able to see the 
files and folders which that RPM would install.

Also, for troubleshooting a hacked box the command "lsof" is *very* useful. It 
lists open files. That command is not installed on a RaQ3 or RaQ4 (and we 
wouldn't trust any onboard tool on a hacked box anyway). So you can grab it 
here:

rpm -hUv \
ftp://rpmfind.net/linux/redhat/6.2/en/os/i386/RedHat/RPMS/lsof-4.47-2.i386.rpm

To see which files hold a network connection or socket open (backdoors 
anyone?) the command ...

/usr/sbin/lsof -n |grep LISTEN

... shows a list of all files in that category.

However, if /sbin/init have been modified and/or a kernel based rootkit is 
installed, then even the output from clean commands could be filtered and 
modified while they run. Fortunately most of the hacks aren't that 
sophisticated.

-- 

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer