[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Qubes - hacked
- Subject: Re: [cobalt-security] Qubes - hacked
- From: Parker Morse <morse@xxxxxxxxxxx>
- Date: Tue, 29 Apr 2003 09:56:11 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Tuesday, April 29, 2003, at 07:56 AM, Gavin Nelmes-Crocker wrote:
Has anyone else been having problems with Qubes getting hacked?
Yes. I posted last week. It gave me a very stressful week getting a
temporary server online and, with massive help from Gerald, rebuilding our
Qube.
If you run the latest version of chkrootkit it comes up with infected
stuff,
login, and others as well as suggesting a show tee root kit. The only
visible symptom to the user or sysadmin seems to be that the windows file
sharing server goes off line and won't come back up.
Hmm. It didn't turn up that way for me. chkrootkit 0.39 started telling me
"netstat" was infected, no other symptoms. I downloaded and installed
chkrootkit .40, which had the same output but with hangs during the scan;
I also had a sendmail issue which went away with a sendmail restart.
But the infected "netstat" was enough clue to find the kit, in our case. I
don't think I know enough to identify it, nor am I sure how they got in;
by the time I went looking, there were so many ports open it was not
obvious what was supposed to be and what had been opened by the intruder.
I'm not sure how they get in to start with, we tend to run the qubes a
little behind on the patching as they are not always a help if your Qube
goes down due to a patch error, however at this moment we are patching to
every last patch available on bluelink to try and lock this out.
I suspect I was also a little behind in patching; mysql is my best guess
of one we hadn't done which might have been an issue. However, one thing
on my list is comparing current installed versions of various
services--note, the >patched up< versions--with security advisories
somewhere.
Sun's practice of patching without changing the version number makes this
pretty difficult, of course (what are we supposed to think about QPopper 3.
0.2?) but in some cases--qpopper leaps to mind, actually--it may be worth
breaking the Cobalt upgrade path to get secure software. I'd rather update
and keep patching all our software by hand than go through a week like
that one again.
pjm