>> Does anyone know of a fix, or if any of the recent Cobalt/SUN patches >> addressed the RaQFuCK hack that grabs access from /usr/lib/authenticate and >> opens a shell..? I just discovered a user who recently found, and apparently >> tried to execute this hack/script on my RaQ4 (found scraps of the script and >> the gmon.out file on the system).. I don't permit shell access, and I'm not >> sure if they managed to get a shell with the script, and franky I'm not >> interested in trying the script on my only RaQ4 which is in production - but >> I'll be a little hot under the collar if I discover this user got a shell and >> this issue hasn't been patched/addressed in any of the recent patches.. This >> exploit has been in the wild for at -least- 3 months already.. Has this been >> addressed/fixed if the RaQ4 is fully patched..? Thanks! >> > This patch > > http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-All-Security-2.0.1-2-1578 > 7.pkg > > is supposed to fix the issue among other things. Or, on September 25 I posted > instructions on how to fix the problem by hand: > > http://list.cobalt.com/pipermail/cobalt-security/2002-September/006327.html
IIRC, the hack doesn't really do anything until you reboot the machine. If the script has been executed, you definitely ought to go through the machine with a fine toothed comb. HTH, j -- http://www.bizmanuals.com _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
