[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Another Cobalt break-in
- Subject: [cobalt-security] Another Cobalt break-in
- From: Parker Morse <morse@xxxxxxxxxxx>
- Date: Tue, 22 Apr 2003 12:17:30 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Looks like someone broke in to my Qube3 last week.
chkrootkit 0.39a started reporting netstat as infected on Wednesday. I'm a
one-man IT department and had too much on my plate to notice until today.
:-(
Anyway, I installed chkrootkit 0.40 today. It runs and still shows netstat
as the only infected binary (if I'm understanding the output correctly)
but it tends to take a LONG time checking inetd, and eventually appears to
hang on "Checking `aliens'..."
I did a "locate netstat" and turned up a directory ...
[root /root]# locate netstat
/bin/xnetstat
/bin/netstat
/usr/bin/snmpnetstat
/usr/etc/bin/Xnetstat
/usr/man/man1/snmpnetstat.1
/usr/man/man8/netstat.8
/dev/ida/.mc/trojan/netstat
/dev/.backup/netstat
Needless to say, "/dev/ida/.mc/" is a little ball of badness. :-( Phil
Lewis sent me some md5 sums, and from those and a date listing, I'm pretty
sure the following have been replaced:
[root /bin]# ls -alt
total 4387
-rwxr-xr-x 1 root root 450896 Apr 22 12:11 bash2
-rwxr-xr-x 1 root root 21456 Apr 22 12:11 chmod
-rwxr-xr-x 1 root root 24048 Apr 22 12:11 chown
-rwxr-xr-x 1 root root 43408 Apr 22 12:11 cp
-rwxr-xr-x 1 root root 49808 Apr 22 12:11 cpio
-rwxr-xr-x 1 root root 34128 Apr 22 12:11 dd
-rwxr-xr-x 1 root root 32656 Apr 22 12:11 df
-rwxr-xr-x 1 root root 116295 Apr 22 12:11 fgrep
-rwxr-xr-x 1 root root 26480 Apr 22 12:11 ln
-rwxr-xr-x 1 root root 22320 Apr 22 12:11 mkdir
-rwxr-xr-x 1 root root 20144 Apr 22 12:11 mknod
-rwxr-xr-x 1 root root 30352 Apr 22 12:11 rm
-rwxr-xr-x 1 root root 15408 Apr 22 12:11 rmdir
-rwxr-xr-x 1 root root 14000 Apr 22 12:11 sync
-rwxr-xr-x 1 root root 28848 Apr 22 12:11 touch
-rwxr-xr-x 1 root root 26782 Apr 22 10:15 cat
-rwxr-xr-x 1 root root 49520 Apr 22 04:08 sed
-rwxr-xr-x 1 root root 47871 Apr 22 04:08 sort
-rwxr-x--- 1 root wheel 22032 Apr 22 04:02 chgrp
-rwxr-xr-x 1 root root 116295 Apr 22 04:02 egrep
-rwxr-xr-x 2 root root 152944 Apr 21 20:45 gawk
-rwxr-xr-x 2 root root 152944 Apr 21 20:45 gawk-3.0.4
-rwxr-xr-x 1 root root 50576 Apr 21 19:00 mv
-rwxr-xr-x 1 root root 51120 Apr 21 17:23 ls
-rwxr-xr-x 1 root root 116294 Apr 21 17:11 grep
-rwxr-xr-x 1 root guest 15860 Apr 15 12:24 netstat
-rwxr-xr-x 1 root guest 15855 Apr 15 12:24 ps
I'd like some advice on figuring out which kit was installed... or any
helpful notes. It doesn't look like any of our /home/ files have been
modified yet.
pjm