[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Qubes - hacked
- Subject: RE: [cobalt-security] Qubes - hacked
- From: "Randy Russell" <rrussell@xxxxxxxxxxxxxx>
- Date: Tue, 29 Apr 2003 08:53:04 -0700
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I was in the same boat when one after another of my client's Qube3 was
starting having problem It was the week before Easter and on. It was very
stressful. One of the hack Qube3 was missing the Smb files. We restore it
and put all of the Qubes behind a hardware firewall instead of using the
Adaptive Firewall. I thought I was lone but when read the forum. I was
wrong.
Being an ex-sun employee. I am very suprised that this has happened. I love
the Blue Box because it's a great solution for SOHO.
I learned to Ghost the Qube 3 image so I can restore it completely without
having to go through the OSRCD.
-Randy
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Parker Morse
Sent: Tuesday, April 29, 2003 6:56 AM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Qubes - hacked
On Tuesday, April 29, 2003, at 07:56 AM, Gavin Nelmes-Crocker wrote:
> Has anyone else been having problems with Qubes getting hacked?
Yes. I posted last week. It gave me a very stressful week getting a
temporary server online and, with massive help from Gerald, rebuilding our
Qube.
> If you run the latest version of chkrootkit it comes up with infected
> stuff,
> login, and others as well as suggesting a show tee root kit. The only
> visible symptom to the user or sysadmin seems to be that the windows file
> sharing server goes off line and won't come back up.
Hmm. It didn't turn up that way for me. chkrootkit 0.39 started telling me
"netstat" was infected, no other symptoms. I downloaded and installed
chkrootkit .40, which had the same output but with hangs during the scan;
I also had a sendmail issue which went away with a sendmail restart.
But the infected "netstat" was enough clue to find the kit, in our case. I
don't think I know enough to identify it, nor am I sure how they got in;
by the time I went looking, there were so many ports open it was not
obvious what was supposed to be and what had been opened by the intruder.
> I'm not sure how they get in to start with, we tend to run the qubes a
> little behind on the patching as they are not always a help if your Qube
> goes down due to a patch error, however at this moment we are patching to
> every last patch available on bluelink to try and lock this out.
I suspect I was also a little behind in patching; mysql is my best guess
of one we hadn't done which might have been an issue. However, one thing
on my list is comparing current installed versions of various
services--note, the >patched up< versions--with security advisories
somewhere.
Sun's practice of patching without changing the version number makes this
pretty difficult, of course (what are we supposed to think about QPopper 3.
0.2?) but in some cases--qpopper leaps to mind, actually--it may be worth
breaking the Cobalt upgrade path to get secure software. I'd rather update
and keep patching all our software by hand than go through a week like
that one again.
pjm
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security