[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] RE: cobalt-security digest, Vol 1 #1099 - 5 msgs
- Subject: [cobalt-security] RE: cobalt-security digest, Vol 1 #1099 - 5 msgs
- From: "Stefan Jones" <stefan.w.jones@xxxxxxxxxxx>
- Date: Tue, 25 Feb 2003 09:33:21 -0500
- Organization: Wynn Consulting
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
How do edit the file that contains the IP to J.ROOT server. I am just
learning this and cannot seem to find the right commands on my Qube 3 Pro.
Stefan
> -----Original Message-----
> From: cobalt-security-admin@xxxxxxxxxxxxxxx [mailto:cobalt-security-
> admin@xxxxxxxxxxxxxxx] On Behalf Of cobalt-security-
> request@xxxxxxxxxxxxxxx
> Sent: Saturday, February 22, 2003 3:00 PM
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: cobalt-security digest, Vol 1 #1099 - 5 msgs
>
> Send cobalt-security mailing list submissions to
> cobalt-security@xxxxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://list.cobalt.com/mailman/listinfo/cobalt-security
> or, via email, send a message with subject or body 'help' to
> cobalt-security-request@xxxxxxxxxxxxxxx
>
> You can reach the person managing the list at
> cobalt-security-admin@xxxxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cobalt-security digest..."
>
>
> Today's Topics:
>
> 1. j root server (paul jacobs)
> 2. Re: j root server (Dave @ The Hostworks)
> 3. Re: j root server (Alan Ng)
> 4. Re: j root server (paul jacobs)
> 5. Cracker tools found on a RaQ 4 (Bruce Timberlake)
>
> --__--__--
>
> Message: 1
> Date: Fri, 21 Feb 2003 12:08:30 -0800
> To: cobalt-security@xxxxxxxxxxxxxxx
> From: paul jacobs <paul@xxxxxxxxxxxxxxxxxx>
> Subject: [cobalt-security] j root server
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> What is the new I.P. for the "J" root server agian?
>
>
>
> --__--__--
>
> Message: 2
> From: "Dave @ The Hostworks" <dave@xxxxxxxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Subject: Re: [cobalt-security] j root server
> Date: Fri, 21 Feb 2003 15:19:25 -0500
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> not sure, nslookup ?
> ----- Original Message -----
> From: "paul jacobs" <paul@xxxxxxxxxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Sent: Friday, February 21, 2003 3:08 PM
> Subject: [cobalt-security] j root server
>
>
> > What is the new I.P. for the "J" root server agian?
> >
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
>
>
>
> --__--__--
>
> Message: 3
> Date: Fri, 21 Feb 2003 12:22:29 -0800
> To: cobalt-security@xxxxxxxxxxxxxxx
> From: Alan Ng <alan@xxxxxxxxxxxxxxxxx>
> Subject: Re: [cobalt-security] j root server
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> This is what I have for "J"
>
> J.ROOT-SERVERS.NET. 192.58.128.30
>
> Alan
>
>
> At 12:08 PM 2/21/2003, you wrote:
> >What is the new I.P. for the "J" root server agian?
> >
> >
> >_______________________________________________
> >cobalt-security mailing list
> >cobalt-security@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>
> --__--__--
>
> Message: 4
> Date: Fri, 21 Feb 2003 12:39:28 -0800
> To: cobalt-security@xxxxxxxxxxxxxxx
> From: paul jacobs <paul@xxxxxxxxxxxxxxxxxx>
> Subject: Re: [cobalt-security] j root server
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> At 12:22 PM 2/21/2003, you wrote:
>
> >This is what I have for "J"
> >
> > J.ROOT-SERVERS.NET. 192.58.128.30
> >
> >Alan
>
> Cool, thanks.
>
>
>
> >At 12:08 PM 2/21/2003, you wrote:
> >>What is the new I.P. for the "J" root server agian?
> >>
> >>
> >>_______________________________________________
> >>cobalt-security mailing list
> >>cobalt-security@xxxxxxxxxxxxxxx
> >>http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
> >_______________________________________________
> >cobalt-security mailing list
> >cobalt-security@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
>
> Best Regards,
> Paul Jacobs / SR. Network Manager
> Microsoft MCP 2000 / Cisco Certified
> Design / Install / Troubleshoot / Optimize /
> Security of WANs / LANs / Data Recovery
> Mon. - Fri. 9AM - 5PM (619)336-1400
> http://www.adv-data.com
>
>
>
>
> --__--__--
>
> Message: 5
> From: Bruce Timberlake <bruce@xxxxxxxxxx>
> Organization: BRTNet.org
> To: cobalt-security@xxxxxxxxxxxxxxx
> Date: Fri, 21 Feb 2003 16:47:48 -0800
> Cc: cobalt-users@xxxxxxxxxxxxxxx
> Subject: [cobalt-security] Cracker tools found on a RaQ 4
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Doing some work for a client, and found a set of tools called 'vanish'
> in /dev/.tty1. Looking at the source code shows this:
>
> /*********************************************************************
> Vanish.c cleans WTMP, UTMP, lastlog, messages, secure, xferlog,
> maillog, *
> * warn, mail, httpd.access_log, httpd.error_log. Use your brain, check
>
> your*
> * logs and edit accordingly
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!*
> **************************************************************************
> **
> * Warning!! This programm is for educational purpouse only! I am not
> *
> * responsible to anything you do with this
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!*
> **************************************************************************
> **
> * Code written for Unix like systems! Tested on SuSE-Linux 6.2 !
> *
> * Compile like: gcc vanish.c -o vanish
> *
> **************************************************************************
> */
>
>
> It needs access to the compiler to work.
>
> I found this by running a search for all programs without a valid
> owner on the system:
>
> find / -nouser -o -nogroup -exec ls -lF {} \;
>
> Here's what the directory and filenames look like (sorry for the bogus
> wrapping):
>
> drwxr-xr-x 5 1471 1471 1024 Oct 29 13:32 sk-1.3a/
> - -rw-r--r-- 1 root 500 45051 Jul 7 2002 sk-1.3a.tar.gz
> - -rwxr-xr-x 1 root 500 17433 Oct 29 13:31 van*
> - -rw-r--r-- 1 root 500 6195 Feb 15 2000 vanish.c
> - -rw-r--r-- 1 root 500 45051 Jul 7 2002
> /dev/.tty1/sk-1.3a.tar.gz
> - -rw-r--r-- 1 root 500 6195 Feb 15 2000
> /dev/.tty1/vanish.c
> - -rwxr-xr-x 1 root 500 17433 Oct 29 13:31
> /dev/.tty1/van*
> - -rw-r--r-- 1 root 500 217 Oct 29 13:32
> /dev/.tty1/sk-1.3a/include/config.h
> - -rw-r--r-- 1 root 500 7236 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/sha1.o
> - -rw-r--r-- 1 root 500 1904 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/crypto.o
> - -rwxr-xr-x 1 root 500 12224 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/pass*
> - -rwxr-xr-x 1 root 500 16864 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/login*
> - -rw-r--r-- 1 root 500 5908 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/backdoor.o
> - -rw-r--r-- 1 root 500 2820 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/client.o
> - -rw-r--r-- 1 root 500 2976 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/install.o
> - -rw-r--r-- 1 root 500 51505 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/kernel.s
> - -rw-r--r-- 1 root 500 11548 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/kernel.o
> - -rw-r--r-- 1 root 500 1108 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/kmem.o
> - -rw-r--r-- 1 root 500 1084 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/lib.o
> - -rw-r--r-- 1 root 500 2580 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/main.o
> - -rw-r--r-- 1 root 500 1708 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/pattern.o
> - -rw-r--r-- 1 root 500 7504 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/printf.o
> - -rwxr-xr-x 1 root 500 29816 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/sk*
> - -rwxr-xr-x 1 root 500 3388 Oct 29 13:32
> /dev/.tty1/sk-1.3a/src/bin2oct*
> - -rwxr-xr-x 1 root 500 16864 Oct 29 13:32
> /dev/.tty1/sk-1.3a/login*
> - -rwxr-xr-x 1 root 500 29816 Oct 29 13:32
> /dev/.tty1/sk-1.3a/sk*
> - -rw-r--r-- 1 root 500 61671 Oct 29 13:32
> /dev/.tty1/sk-1.3a/inst
>
> Also you might want to run a check for all setuid files and see if
> anything suspicious appears:
>
> find / -type f -perm +6000 -exec ls -lF {} \;
>
> I'm sending the info to the chkrootkit folks for (hopeful) inclusion
> in the next chkrootkit update...
>
> - --
> Bruce Timberlake
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQE+Vsi1vLA2hUZ9kgwRAgQYAJ99LeNkO6VWTkGuFf1dpKNrhH4KcQCdG6Un
> YVROLdY7ILWSW/8lRA/lInY=
> =nLUl
> -----END PGP SIGNATURE-----
>
>
>
>
> --__--__--
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>
> End of cobalt-security Digest