[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Re: Cobalt Raq 4 Hacked
- Subject: RE: [cobalt-security] Re: Cobalt Raq 4 Hacked
- From: "Jelmer Jellema" <lists@xxxxxxxxxxxxxxx>
- Date: Thu, 6 Nov 2003 10:54:04 +0100
- Organization: Spin in het Web www.spininhetweb.nl
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Tripwire works just fine, though it will take you a while to get the right
policy-entries in (if I recall correctly starting with the redhat version of
a prefab policy file saves you some time but if you use the
cobalt-management admin system you should add stuff).
I run it from cron every x hours and it reports nicely everytime I changed
something. Ofcourse I cannot know whether it failed to report some hack, but
I still feel secure (as did you until...).
I could send you - off list - a policy file I use on a Raq4, with some
site-specifik stuff out. But as I don't use the cobalt management stuff any
more, this is not very well included.
I take it you also have chkrootkit installed.
Jelmer
-----------------------------------------------------------------
Jelmer Jellema - Spin in het Web
http://www.spininhetweb.nl
Spin in het Web: Alle Touwtjes In Handen
-----------------------------------------------------------------
> -----Oorspronkelijk bericht-----
> Van: cobalt-security-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-security-admin@xxxxxxxxxxxxxxx] Namens Cory
> Hollingsworth
> Verzonden: woensdag 5 november 2003 16:46
> Aan: cobalt-security@xxxxxxxxxxxxxxx
> Onderwerp: [cobalt-security] Re: Cobalt Raq 4 Hacked
>
>
> > Subject: [cobalt-security] Cobalt Raq 4 Hacked
> >
> > Hi all.
> > Today at 2:00 in the morning our RaQ4 was hacked.
> >
> > The hack replaced all files named index.* with own
> > hacker content.
> >
> > We have had this issue a couple of weeks ago. That
> > time the hack afected all index.* files under
> > /home/sites.
> >
> > Now the hack affected all index.* files under / so the
> > Control Panel is affected too.
> >
> > I must note a week ago the server wass rebuilded formm
> > scratch and ALL upgrades were applied.
> >
> > I have chkrootkit and portsentry installed. None of
> > those reported strange activity.
> >
> > I have checked open ports in the server and theres' no
> > strange ports opened.
> >
> > I want to know if somebody has experienced the same
> > issue, and any help will be apreciated..
> >
> > TIA
> > Pablo
>
> I've had a similar problem with a Raq 4 last week. Instead
> my issue was someone using the server as a DOS attack
> machine. Their attack removed /var/log and turned off all
> network services into the machine. Also unbenounced to me on
> an earlier date Apache stopped logging in the
> /home/sites/XXX/log sub directories.
>
> Even though the machine was fully patched, the Apache logging
> had halted before I applied the latest patches. It may have
> been compromised months before it was used as a DOS attack machine.
>
> Their DOS attack I believe unintentionally wiped out the root
> filesystem so the machine could no longer boot. It took a
> couple of days of hacking at the serial console to get the
> machine working well enough to ssh the accounts and data off
> the machine.
>
> I've since moved everything onto a Raq550 I had hanging
> around as a spare. The only things lost were the users
> passwords as I couldn't easily load them from the old shadow
> file as the Raq550 stores passwords in a BTREE in /var/db/shadow.db.
>
> As of yet I haven't figured out how the machine was
> exploited. But we had 600+ users on the machine with CGI, so
> it is not infeasible the exploit could have been in user CGI
> rather than the core services.
>
> Any one have any luck with tripwire on Raqs? That is the
> only thing I can think of trying at this time.
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>