[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Another Cobalt break-in

Subject: [cobalt-security] Another Cobalt break-in
From: Parker Morse <morse@xxxxxxxxxxx>
Date: Tue, 22 Apr 2003 12:17:30 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Looks like someone broke in to my Qube3 last week.

chkrootkit 0.39a started reporting netstat as infected on Wednesday. I'm aone-man IT department and had too much on my plate to notice until today.:-(

Anyway, I installed chkrootkit 0.40 today. It runs and still shows netstatas the only infected binary (if I'm understanding the output correctly)but it tends to take a LONG time checking inetd, and eventually appears tohang on "Checking `aliens'..."


I did a "locate netstat" and turned up a directory ...

[root /root]# locate netstat
/bin/xnetstat
/bin/netstat
/usr/bin/snmpnetstat
/usr/etc/bin/Xnetstat
/usr/man/man1/snmpnetstat.1
/usr/man/man8/netstat.8
/dev/ida/.mc/trojan/netstat
/dev/.backup/netstat

Needless to say, "/dev/ida/.mc/" is a little ball of badness. :-( PhilLewis sent me some md5 sums, and from those and a date listing, I'm prettysure the following have been replaced:


[root /bin]# ls -alt
total 4387
-rwxr-xr-x    1 root     root       450896 Apr 22 12:11 bash2
-rwxr-xr-x    1 root     root        21456 Apr 22 12:11 chmod
-rwxr-xr-x    1 root     root        24048 Apr 22 12:11 chown
-rwxr-xr-x    1 root     root        43408 Apr 22 12:11 cp
-rwxr-xr-x    1 root     root        49808 Apr 22 12:11 cpio
-rwxr-xr-x    1 root     root        34128 Apr 22 12:11 dd
-rwxr-xr-x    1 root     root        32656 Apr 22 12:11 df
-rwxr-xr-x    1 root     root       116295 Apr 22 12:11 fgrep
-rwxr-xr-x    1 root     root        26480 Apr 22 12:11 ln
-rwxr-xr-x    1 root     root        22320 Apr 22 12:11 mkdir
-rwxr-xr-x    1 root     root        20144 Apr 22 12:11 mknod
-rwxr-xr-x    1 root     root        30352 Apr 22 12:11 rm
-rwxr-xr-x    1 root     root        15408 Apr 22 12:11 rmdir
-rwxr-xr-x    1 root     root        14000 Apr 22 12:11 sync
-rwxr-xr-x    1 root     root        28848 Apr 22 12:11 touch
-rwxr-xr-x    1 root     root        26782 Apr 22 10:15 cat
-rwxr-xr-x    1 root     root        49520 Apr 22 04:08 sed
-rwxr-xr-x    1 root     root        47871 Apr 22 04:08 sort
-rwxr-x---    1 root     wheel       22032 Apr 22 04:02 chgrp
-rwxr-xr-x    1 root     root       116295 Apr 22 04:02 egrep
-rwxr-xr-x    2 root     root       152944 Apr 21 20:45 gawk
-rwxr-xr-x    2 root     root       152944 Apr 21 20:45 gawk-3.0.4
-rwxr-xr-x    1 root     root        50576 Apr 21 19:00 mv
-rwxr-xr-x    1 root     root        51120 Apr 21 17:23 ls
-rwxr-xr-x    1 root     root       116294 Apr 21 17:11 grep
-rwxr-xr-x    1 root     guest       15860 Apr 15 12:24 netstat
-rwxr-xr-x    1 root     guest       15855 Apr 15 12:24 ps

I'd like some advice on figuring out which kit was installed... or anyhelpful notes. It doesn't look like any of our /home/ files have beenmodified yet.

pjm

Prev by Date: RE: [cobalt-security] Help needed! Anyone restore raq4 from backup file before?
Next by Date: RE: [cobalt-security] Help needed! Anyone restore raq4 from backup file before?
Previous by thread: [cobalt-security] Raq4 bind/named/MX
Next by thread: [cobalt-security] RaQ4-All-Security-2.0.1-15578.pkg

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index