[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] RE: cobalt-security digest, Vol 1 #1099 - 5 msgs

Subject: [cobalt-security] RE: cobalt-security digest, Vol 1 #1099 - 5 msgs
From: "Stefan Jones" <stefan.w.jones@xxxxxxxxxxx>
Date: Tue, 25 Feb 2003 09:33:21 -0500
Organization: Wynn Consulting
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
How do edit the file that contains the IP to J.ROOT server.  I am just
learning this and cannot seem to find the right commands on my Qube 3 Pro.  

Stefan

> -----Original Message-----
> From: cobalt-security-admin@xxxxxxxxxxxxxxx [mailto:cobalt-security-
> admin@xxxxxxxxxxxxxxx] On Behalf Of cobalt-security-
> request@xxxxxxxxxxxxxxx
> Sent: Saturday, February 22, 2003 3:00 PM
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: cobalt-security digest, Vol 1 #1099 - 5 msgs
> 
> Send cobalt-security mailing list submissions to
> 	cobalt-security@xxxxxxxxxxxxxxx
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://list.cobalt.com/mailman/listinfo/cobalt-security
> or, via email, send a message with subject or body 'help' to
> 	cobalt-security-request@xxxxxxxxxxxxxxx
> 
> You can reach the person managing the list at
> 	cobalt-security-admin@xxxxxxxxxxxxxxx
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cobalt-security digest..."
> 
> 
> Today's Topics:
> 
>    1. j root server (paul jacobs)
>    2. Re: j root server (Dave @ The Hostworks)
>    3. Re: j root server (Alan Ng)
>    4. Re: j root server (paul jacobs)
>    5. Cracker tools found on a RaQ 4 (Bruce Timberlake)
> 
> --__--__--
> 
> Message: 1
> Date: Fri, 21 Feb 2003 12:08:30 -0800
> To: cobalt-security@xxxxxxxxxxxxxxx
> From: paul jacobs <paul@xxxxxxxxxxxxxxxxxx>
> Subject: [cobalt-security] j root server
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> 
> What is the new I.P. for the "J" root server agian?
> 
> 
> 
> --__--__--
> 
> Message: 2
> From: "Dave @ The Hostworks" <dave@xxxxxxxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Subject: Re: [cobalt-security] j root server
> Date: Fri, 21 Feb 2003 15:19:25 -0500
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> 
> not sure, nslookup ?
> ----- Original Message -----
> From: "paul jacobs" <paul@xxxxxxxxxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Sent: Friday, February 21, 2003 3:08 PM
> Subject: [cobalt-security] j root server
> 
> 
> > What is the new I.P. for the "J" root server agian?
> >
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
> 
> 
> 
> --__--__--
> 
> Message: 3
> Date: Fri, 21 Feb 2003 12:22:29 -0800
> To: cobalt-security@xxxxxxxxxxxxxxx
> From: Alan Ng <alan@xxxxxxxxxxxxxxxxx>
> Subject: Re: [cobalt-security] j root server
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> 
> This is what I have for "J"
> 
>          J.ROOT-SERVERS.NET.     192.58.128.30
> 
> Alan
> 
> 
> At 12:08 PM 2/21/2003, you wrote:
> >What is the new I.P. for the "J" root server agian?
> >
> >
> >_______________________________________________
> >cobalt-security mailing list
> >cobalt-security@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-security
> 
> 
> --__--__--
> 
> Message: 4
> Date: Fri, 21 Feb 2003 12:39:28 -0800
> To: cobalt-security@xxxxxxxxxxxxxxx
> From: paul jacobs <paul@xxxxxxxxxxxxxxxxxx>
> Subject: Re: [cobalt-security] j root server
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> 
> At 12:22 PM 2/21/2003, you wrote:
> 
> >This is what I have for "J"
> >
> >         J.ROOT-SERVERS.NET.     192.58.128.30
> >
> >Alan
> 
> Cool, thanks.
> 
> 
> 
> >At 12:08 PM 2/21/2003, you wrote:
> >>What is the new I.P. for the "J" root server agian?
> >>
> >>
> >>_______________________________________________
> >>cobalt-security mailing list
> >>cobalt-security@xxxxxxxxxxxxxxx
> >>http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
> >_______________________________________________
> >cobalt-security mailing list
> >cobalt-security@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
> 
> Best Regards,
> Paul Jacobs / SR. Network Manager
> Microsoft  MCP 2000 / Cisco Certified
> Design / Install / Troubleshoot / Optimize /
> Security of WANs / LANs / Data Recovery
> Mon. - Fri. 9AM - 5PM (619)336-1400
> http://www.adv-data.com
> 
> 
> 
> 
> --__--__--
> 
> Message: 5
> From: Bruce Timberlake <bruce@xxxxxxxxxx>
> Organization: BRTNet.org
> To: cobalt-security@xxxxxxxxxxxxxxx
> Date: Fri, 21 Feb 2003 16:47:48 -0800
> Cc: cobalt-users@xxxxxxxxxxxxxxx
> Subject: [cobalt-security] Cracker tools found on a RaQ 4
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Doing some work for a client, and found a set of tools called 'vanish'
> in /dev/.tty1. Looking at the source code shows this:
> 
> /*********************************************************************
>  Vanish.c cleans WTMP, UTMP, lastlog, messages, secure, xferlog,
>  maillog, *
> * warn, mail, httpd.access_log, httpd.error_log. Use your brain, check
> 
> your*
> * logs and edit accordingly
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!*
> **************************************************************************
> **
> * Warning!! This programm is for educational purpouse only! I am not
> *
> * responsible to anything you do with this
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!*
> **************************************************************************
> **
> * Code written for Unix like systems! Tested on SuSE-Linux 6.2 !
> *
> * Compile like: gcc vanish.c -o vanish
> *
> **************************************************************************
> */
> 
> 
> It needs access to the compiler to work.
> 
> I found this by running a search for all programs without a valid
> owner on the system:
> 
> find / -nouser -o -nogroup -exec ls -lF {} \;
> 
> Here's what the directory and filenames look like (sorry for the bogus
> wrapping):
> 
> drwxr-xr-x    5 1471     1471         1024 Oct 29 13:32 sk-1.3a/
> - -rw-r--r--    1 root     500         45051 Jul  7  2002 sk-1.3a.tar.gz
> - -rwxr-xr-x    1 root     500         17433 Oct 29 13:31 van*
> - -rw-r--r--    1 root     500          6195 Feb 15  2000 vanish.c
> - -rw-r--r--    1 root     500         45051 Jul  7  2002
> /dev/.tty1/sk-1.3a.tar.gz
> - -rw-r--r--    1 root     500          6195 Feb 15  2000
> /dev/.tty1/vanish.c
> - -rwxr-xr-x    1 root     500         17433 Oct 29 13:31
> /dev/.tty1/van*
> - -rw-r--r--    1 root     500           217 Oct 29 13:32
> /dev/.tty1/sk-1.3a/include/config.h
> - -rw-r--r--    1 root     500          7236 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/sha1.o
> - -rw-r--r--    1 root     500          1904 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/crypto.o
> - -rwxr-xr-x    1 root     500         12224 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/pass*
> - -rwxr-xr-x    1 root     500         16864 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/login*
> - -rw-r--r--    1 root     500          5908 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/backdoor.o
> - -rw-r--r--    1 root     500          2820 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/client.o
> - -rw-r--r--    1 root     500          2976 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/install.o
> - -rw-r--r--    1 root     500         51505 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/kernel.s
> - -rw-r--r--    1 root     500         11548 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/kernel.o
> - -rw-r--r--    1 root     500          1108 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/kmem.o
> - -rw-r--r--    1 root     500          1084 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/lib.o
> - -rw-r--r--    1 root     500          2580 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/main.o
> - -rw-r--r--    1 root     500          1708 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/pattern.o
> - -rw-r--r--    1 root     500          7504 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/printf.o
> - -rwxr-xr-x    1 root     500         29816 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/sk*
> - -rwxr-xr-x    1 root     500          3388 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/bin2oct*
> - -rwxr-xr-x    1 root     500         16864 Oct 29 13:32
> /dev/.tty1/sk-1.3a/login*
> - -rwxr-xr-x    1 root     500         29816 Oct 29 13:32
> /dev/.tty1/sk-1.3a/sk*
> - -rw-r--r--    1 root     500         61671 Oct 29 13:32
> /dev/.tty1/sk-1.3a/inst
> 
> Also you might want to run a check for all setuid files and see if
> anything suspicious appears:
> 
> find / -type f -perm +6000 -exec ls -lF {} \;
> 
> I'm sending the info to the chkrootkit folks for (hopeful) inclusion
> in the next chkrootkit update...
> 
> - --
> Bruce Timberlake
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
> iD8DBQE+Vsi1vLA2hUZ9kgwRAgQYAJ99LeNkO6VWTkGuFf1dpKNrhH4KcQCdG6Un
> YVROLdY7ILWSW/8lRA/lInY=
> =nLUl
> -----END PGP SIGNATURE-----
> 
> 
> 
> 
> --__--__--
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
> 
> 
> End of cobalt-security Digest
Prev by Date: [cobalt-security] Cracker tools found on a RaQ 4
Next by Date: [cobalt-security] dns problems
Previous by thread: [cobalt-security] Cracker tools found on a RaQ 4
Next by thread: [cobalt-security] dns problems
Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index