How do edit the file that contains the IP to J.ROOT server. I am just learning this and cannot seem to find the right commands on my Qube 3 Pro.
Stefan > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:cobalt-security- > [EMAIL PROTECTED] On Behalf Of cobalt-security- > [EMAIL PROTECTED] > Sent: Saturday, February 22, 2003 3:00 PM > To: [EMAIL PROTECTED] > Subject: cobalt-security digest, Vol 1 #1099 - 5 msgs > > Send cobalt-security mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://list.cobalt.com/mailman/listinfo/cobalt-security > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of cobalt-security digest..." > > > Today's Topics: > > 1. j root server (paul jacobs) > 2. Re: j root server (Dave @ The Hostworks) > 3. Re: j root server (Alan Ng) > 4. Re: j root server (paul jacobs) > 5. Cracker tools found on a RaQ 4 (Bruce Timberlake) > > --__--__-- > > Message: 1 > Date: Fri, 21 Feb 2003 12:08:30 -0800 > To: [EMAIL PROTECTED] > From: paul jacobs <[EMAIL PROTECTED]> > Subject: [cobalt-security] j root server > Reply-To: [EMAIL PROTECTED] > > What is the new I.P. for the "J" root server agian? > > > > --__--__-- > > Message: 2 > From: "Dave @ The Hostworks" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Re: [cobalt-security] j root server > Date: Fri, 21 Feb 2003 15:19:25 -0500 > Reply-To: [EMAIL PROTECTED] > > not sure, nslookup ? > ----- Original Message ----- > From: "paul jacobs" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, February 21, 2003 3:08 PM > Subject: [cobalt-security] j root server > > > > What is the new I.P. for the "J" root server agian? > > > > > > _______________________________________________ > > cobalt-security mailing list > > [EMAIL PROTECTED] > > http://list.cobalt.com/mailman/listinfo/cobalt-security > > > > > > --__--__-- > > Message: 3 > Date: Fri, 21 Feb 2003 12:22:29 -0800 > To: [EMAIL PROTECTED] > From: Alan Ng <[EMAIL PROTECTED]> > Subject: Re: [cobalt-security] j root server > Reply-To: [EMAIL PROTECTED] > > This is what I have for "J" > > J.ROOT-SERVERS.NET. 192.58.128.30 > > Alan > > > At 12:08 PM 2/21/2003, you wrote: > >What is the new I.P. for the "J" root server agian? > > > > > >_______________________________________________ > >cobalt-security mailing list > >[EMAIL PROTECTED] > >http://list.cobalt.com/mailman/listinfo/cobalt-security > > > --__--__-- > > Message: 4 > Date: Fri, 21 Feb 2003 12:39:28 -0800 > To: [EMAIL PROTECTED] > From: paul jacobs <[EMAIL PROTECTED]> > Subject: Re: [cobalt-security] j root server > Reply-To: [EMAIL PROTECTED] > > At 12:22 PM 2/21/2003, you wrote: > > >This is what I have for "J" > > > > J.ROOT-SERVERS.NET. 192.58.128.30 > > > >Alan > > Cool, thanks. > > > > >At 12:08 PM 2/21/2003, you wrote: > >>What is the new I.P. for the "J" root server agian? > >> > >> > >>_______________________________________________ > >>cobalt-security mailing list > >>[EMAIL PROTECTED] > >>http://list.cobalt.com/mailman/listinfo/cobalt-security > > > >_______________________________________________ > >cobalt-security mailing list > >[EMAIL PROTECTED] > >http://list.cobalt.com/mailman/listinfo/cobalt-security > > > > Best Regards, > Paul Jacobs / SR. Network Manager > Microsoft MCP 2000 / Cisco Certified > Design / Install / Troubleshoot / Optimize / > Security of WANs / LANs / Data Recovery > Mon. - Fri. 9AM - 5PM (619)336-1400 > http://www.adv-data.com > > > > > --__--__-- > > Message: 5 > From: Bruce Timberlake <[EMAIL PROTECTED]> > Organization: BRTNet.org > To: [EMAIL PROTECTED] > Date: Fri, 21 Feb 2003 16:47:48 -0800 > Cc: [EMAIL PROTECTED] > Subject: [cobalt-security] Cracker tools found on a RaQ 4 > Reply-To: [EMAIL PROTECTED] > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Doing some work for a client, and found a set of tools called 'vanish' > in /dev/.tty1. Looking at the source code shows this: > > /********************************************************************* > Vanish.c cleans WTMP, UTMP, lastlog, messages, secure, xferlog, > maillog, * > * warn, mail, httpd.access_log, httpd.error_log. Use your brain, check > > your* > * logs and edit accordingly > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!* > ************************************************************************** > ** > * Warning!! This programm is for educational purpouse only! I am not > * > * responsible to anything you do with this > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!* > ************************************************************************** > ** > * Code written for Unix like systems! Tested on SuSE-Linux 6.2 ! > * > * Compile like: gcc vanish.c -o vanish > * > ************************************************************************** > */ > > > It needs access to the compiler to work. > > I found this by running a search for all programs without a valid > owner on the system: > > find / -nouser -o -nogroup -exec ls -lF {} \; > > Here's what the directory and filenames look like (sorry for the bogus > wrapping): > > drwxr-xr-x 5 1471 1471 1024 Oct 29 13:32 sk-1.3a/ > - -rw-r--r-- 1 root 500 45051 Jul 7 2002 sk-1.3a.tar.gz > - -rwxr-xr-x 1 root 500 17433 Oct 29 13:31 van* > - -rw-r--r-- 1 root 500 6195 Feb 15 2000 vanish.c > - -rw-r--r-- 1 root 500 45051 Jul 7 2002 > /dev/.tty1/sk-1.3a.tar.gz > - -rw-r--r-- 1 root 500 6195 Feb 15 2000 > /dev/.tty1/vanish.c > - -rwxr-xr-x 1 root 500 17433 Oct 29 13:31 > /dev/.tty1/van* > - -rw-r--r-- 1 root 500 217 Oct 29 13:32 > /dev/.tty1/sk-1.3a/include/config.h > - -rw-r--r-- 1 root 500 7236 Oct 29 13:32 > /dev/.tty1/sk-1.3a/src/sha1.o > - -rw-r--r-- 1 root 500 1904 Oct 29 13:32 > /dev/.tty1/sk-1.3a/src/crypto.o > - -rwxr-xr-x 1 root 500 12224 Oct 29 13:32 > /dev/.tty1/sk-1.3a/src/pass* > - -rwxr-xr-x 1 root 500 16864 Oct 29 13:32 > /dev/.tty1/sk-1.3a/src/login* > - -rw-r--r-- 1 root 500 5908 Oct 29 13:32 > /dev/.tty1/sk-1.3a/src/backdoor.o > - -rw-r--r-- 1 root 500 2820 Oct 29 13:32 > /dev/.tty1/sk-1.3a/src/client.o > - -rw-r--r-- 1 root 500 2976 Oct 29 13:32 > /dev/.tty1/sk-1.3a/src/install.o > - -rw-r--r-- 1 root 500 51505 Oct 29 13:32 > /dev/.tty1/sk-1.3a/src/kernel.s > - -rw-r--r-- 1 root 500 11548 Oct 29 13:32 > /dev/.tty1/sk-1.3a/src/kernel.o > - -rw-r--r-- 1 root 500 1108 Oct 29 13:32 > /dev/.tty1/sk-1.3a/src/kmem.o > - -rw-r--r-- 1 root 500 1084 Oct 29 13:32 > /dev/.tty1/sk-1.3a/src/lib.o > - -rw-r--r-- 1 root 500 2580 Oct 29 13:32 > /dev/.tty1/sk-1.3a/src/main.o > - -rw-r--r-- 1 root 500 1708 Oct 29 13:32 > /dev/.tty1/sk-1.3a/src/pattern.o > - -rw-r--r-- 1 root 500 7504 Oct 29 13:32 > /dev/.tty1/sk-1.3a/src/printf.o > - -rwxr-xr-x 1 root 500 29816 Oct 29 13:32 > /dev/.tty1/sk-1.3a/src/sk* > - -rwxr-xr-x 1 root 500 3388 Oct 29 13:32 > /dev/.tty1/sk-1.3a/src/bin2oct* > - -rwxr-xr-x 1 root 500 16864 Oct 29 13:32 > /dev/.tty1/sk-1.3a/login* > - -rwxr-xr-x 1 root 500 29816 Oct 29 13:32 > /dev/.tty1/sk-1.3a/sk* > - -rw-r--r-- 1 root 500 61671 Oct 29 13:32 > /dev/.tty1/sk-1.3a/inst > > Also you might want to run a check for all setuid files and see if > anything suspicious appears: > > find / -type f -perm +6000 -exec ls -lF {} \; > > I'm sending the info to the chkrootkit folks for (hopeful) inclusion > in the next chkrootkit update... > > - -- > Bruce Timberlake > http://www.brtnet.org/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (GNU/Linux) > > iD8DBQE+Vsi1vLA2hUZ9kgwRAgQYAJ99LeNkO6VWTkGuFf1dpKNrhH4KcQCdG6Un > YVROLdY7ILWSW/8lRA/lInY= > =nLUl > -----END PGP SIGNATURE----- > > > > > --__--__-- > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > > > End of cobalt-security Digest _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
