Now.....I might be talking crazy here....but I think I have the total fix for
everything.
Step 1) OS Restore
Step 2) Put the Unit on a private IP so you can install the packages*
Step 3) Reboot and go live
Sorry that this is a replay to you alex.....no your not the target of this Clue-by-4.
For anyone who didn't know....one of the main functions of this exploit is the
installation of a
root kit that makes your cobalt server......A PortScanner. PortScanners spend their
time scanning
various subnets all over the internet. So putting an unprotected box on the internet
without the
patches and trying to install them while a port scan can get to it.....is
well....asking for it.
And a lot of people discovered that they had been rehacked after the update....and
cried, "we had
the patches installed." But BIND can't close a hole if its already open. And for the
few
experiences I've seen, the timestamps of when the exploit went in and when the BIND
update went in
are close, usually the exploit beating out the update by about 20 mins.
So, while every cobalt customer is learning a little something about good sysadmin
(it's usually a
disaster that teaches us the best)....lets not point the fingers here. And of
course....hey at
least its not Windows....
And as for the 8.2.2-P7....umm yeah thats the default software installed....or at
least I thought
so. But I didn't think that BIND 8.2.3 was released until post the first signs of the
exploit.
It was my understanding that it was the BIND community that was caught with their pants
down....not Cobalt. I mean this affected BIND not Cobalt right. It is a BIND exploit
right?
Or maybe I'm just rambling
--------------------
AJC <[EMAIL PROTECTED]>
Rule 1 of Sysadmin : backup the file
--- Alex Lee <[EMAIL PROTECTED]> wrote:
> > We did not use a Cobalt patch to fix the compromised servers - we had to
> > design custom scripts and gather files to fix them. I guess the patch kits
> > made by Cobalt were not adequate to protect your machine against
> > this virus.
> > Cobalt must have decided that 8.2.2-P7 was good enough even though the
> > warnings said 8.2.3 was the answer. I'm not sure if they have a
> > more recent
> > patch kit or not.
>
> The Cobalt patch does put in 8.2.3-REL
>
> [root /root]# ndc status
> named 8.2.3-REL Tue Jan 30 16:56:25 PST 2001
> [EMAIL PROTECTED]:/home/redhat/BUILD/bind-8.2.3/src/bin/named
> config (/etc/named.conf) last loaded at age: Wed Jan 3 17:26:50 2001
> number of zones allocated: 64
> debug level: 0
> xfers running: 0
> xfers deferred: 0
> soa queries in progress: 0
> query logging is OFF
> server is up and running
>
>
> alex
>
> _______________________________________________
> cobalt-developers mailing list
> [EMAIL PROTECTED]
> http://list.cobalt.com/mailman/listinfo/cobalt-developers
=====
--------------
#!/usr/bin/perl
print "Have Clue Will Travel";
--------------
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
_______________________________________________
cobalt-developers mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-developers
