[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Qubes - hacked

On Tuesday, April 29, 2003, at 07:56  AM, Gavin Nelmes-Crocker wrote:

Has anyone else been having problems with Qubes getting hacked?
Yes. I posted last week. It gave me a very stressful week getting a temporary server online and, with massive help from Gerald, rebuilding our Qube.
If you run the latest version of chkrootkit it comes up with infected stuff, 
login, and others as well as suggesting a show tee root kit.  The only
visible symptom to the user or sysadmin seems to be that the windows file
sharing server goes off line and won't come back up.
Hmm. It didn't turn up that way for me. chkrootkit 0.39 started telling me "netstat" was infected, no other symptoms. I downloaded and installed chkrootkit .40, which had the same output but with hangs during the scan; I also had a sendmail issue which went away with a sendmail restart.
But the infected "netstat" was enough clue to find the kit, in our case. I don't think I know enough to identify it, nor am I sure how they got in; by the time I went looking, there were so many ports open it was not obvious what was supposed to be and what had been opened by the intruder. 


I'm not sure how they get in to start with, we tend to run the qubes a
little behind on the patching as they are not always a help if your Qube
goes down due to a patch error, however at this moment we are patching to
every last patch available on bluelink to try and lock this out.
I suspect I was also a little behind in patching; mysql is my best guess of one we hadn't done which might have been an issue. However, one thing on my list is comparing current installed versions of various services--note, the >patched up< versions--with security advisories somewhere.
Sun's practice of patching without changing the version number makes this pretty difficult, of course (what are we supposed to think about QPopper 3. 0.2?) but in some cases--qpopper leaps to mind, actually--it may be worth breaking the Cobalt upgrade path to get secure software. I'd rather update and keep patching all our software by hand than go through a week like that one again. 

pjm