Hi Lance, Good work on recovering that box and a nice write up.
Here is some additional info which might help others in the same situation: Source for the original RPMs (easier than to fetch 'em from the OS restore CD): RaQ4: ftp://ftp.cobalt.com/pub/products/raq4/RPMS/ RaQ3: ftp://ftp.cobalt.com/pub/products/raq3/RPMS/ To reinstall "procps" (for instance) on a hacked RaQ4 one would just run the command ... rpm -hUv --force --nodeps \ ftp://ftp.cobalt.com/pub/products/raq4/RPMS/procps-2.0.6-5.i386.rpm Another easy way to selectively install individual files from an RPM (and not the whole shebang) is Midnight Commander. If mc is installed (and the RPM has 644 permissions), then you just hit return on the RPM and open it in mc. Browse to CONTENTS.cpio and hit return again. Then you'll be able to see the files and folders which that RPM would install. Also, for troubleshooting a hacked box the command "lsof" is *very* useful. It lists open files. That command is not installed on a RaQ3 or RaQ4 (and we wouldn't trust any onboard tool on a hacked box anyway). So you can grab it here: rpm -hUv \ ftp://rpmfind.net/linux/redhat/6.2/en/os/i386/RedHat/RPMS/lsof-4.47-2.i386.rpm To see which files hold a network connection or socket open (backdoors anyone?) the command ... /usr/sbin/lsof -n |grep LISTEN ... shows a list of all files in that category. However, if /sbin/init have been modified and/or a kernel based rootkit is installed, then even the output from clean commands could be filtered and modified while they run. Fortunately most of the hacks aren't that sophisticated. -- With best regards, Michael Stauber [EMAIL PROTECTED] Unix/Linux Support Engineer _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
