(also posted)
This is a messy situation, especially if an intruder knows more about a system than
the administrator.
Determining how an intruder entered is essential in closing those holes. It may be
that he used brute force on your telnet daemon, which means you passwords likely
weren't tough enough, and you didn't have any logging to notice 10,000 failed login
attempts to r00t or some other user. Check out ippl (http://pltplp.net/ippl/) for a
logger, and logcheck (http://www.psionic.com/) for a utility that will email you
highlights of your logs. It will search for words like 'failed', 'r00t', or whatever
you specify.
If he didn't use brute force, he likely exploited bugs or inadequate security measures
in other programs, such as a web server, or the cobalt administration module.
You should contact cobalt and tell them their system was cracked, assuming it wasn't
your fault (ie weak passwords). Perhaps they can offer help determining how, and how
to clean it. Although if it was cracked because of lack of knowledge on their part,
their help may not be too useful in 'securing' the system.
Then it may be a very good idea to reinstall the whole system from scratch, as your
binaries could have been replaced by trojaned versions which can allow the intruder to
reenter.
Also, you should contact the local police. They want to hear about it. Even if they
only 'file' the information, they may get more involved.
Cory
On Thu, Mar 29, 2001 at 09:45:05PM -0800, John Marsh wrote:
>
> ** This message was sent from the EUGLUG message board. Since **
> ** the person who submitted this question may not be on the **
> ** mailing list, please reply directly or on the message board: **
> ** http://www.euglug.org/board.phtml?id=64 **
>
> Well I should have listened to Joe Hartman and installed secure
> shell. I was busted and someone got into my Cobalt RaQ4 server.
> They posted a Kill the "[we won't say]" page as the home page
> for each 6 of my virtual sites. They also changed the root
> password. What a pain.
>
> So I was wondering what is the best secure shell to use;
> and how can I set up the server to only accept telnet traffic
> from certian IPs?
>
> When I discovered the event I had no choice but to http in
> through the Cobalt admin page. (Interestingly this seems to be
> in the clear too.) I was able to get into the admin panel with
> the first password challange, then I went immediatly to change
> the password and it wouldn't work. As if it was changed just as
> I was about to change it myself.
>
> Yes I'm new to Linux and appreciate any help. Also what file
> would I look at to see the telnet traffic maybe the guy didn't
> cover his tracks and I could look for patterns in the ip
> addresses.
>
> Thanks, John
