Excellent advice and well thought out, Cory.
Regards, Jim
At 10:57 AM 3/30/2001 -0800, you wrote:
>(also posted)
>
>This is a messy situation, especially if an intruder knows more about a
>system than the administrator.
>
>Determining how an intruder entered is essential in closing those
>holes. It may be that he used brute force on your telnet daemon, which
>means you passwords likely weren't tough enough, and you didn't have any
>logging to notice 10,000 failed login attempts to r00t or some other
>user. Check out ippl (http://pltplp.net/ippl/) for a logger, and logcheck
>(http://www.psionic.com/) for a utility that will email you highlights of
>your logs. It will search for words like 'failed', 'r00t', or whatever
>you specify.
>
>If he didn't use brute force, he likely exploited bugs or inadequate
>security measures in other programs, such as a web server, or the cobalt
>administration module.
>
>You should contact cobalt and tell them their system was cracked, assuming
>it wasn't your fault (ie weak passwords). Perhaps they can offer help
>determining how, and how to clean it. Although if it was cracked because
>of lack of knowledge on their part, their help may not be too useful in
>'securing' the system.
>
>Then it may be a very good idea to reinstall the whole system from
>scratch, as your binaries could have been replaced by trojaned versions
>which can allow the intruder to reenter.
>
>Also, you should contact the local police. They want to hear about
>it. Even if they only 'file' the information, they may get more involved.
>
>Cory
>
>On Thu, Mar 29, 2001 at 09:45:05PM -0800, John Marsh wrote:
> >
> > ** This message was sent from the EUGLUG message board. Since **
> > ** the person who submitted this question may not be on the **
> > ** mailing list, please reply directly or on the message board: **
> > ** http://www.euglug.org/board.phtml?id=64 **
> >
> > Well I should have listened to Joe Hartman and installed secure
> > shell. I was busted and someone got into my Cobalt RaQ4 server.
> > They posted a Kill the "[we won't say]" page as the home page
> > for each 6 of my virtual sites. They also changed the root
> > password. What a pain.
> >
> > So I was wondering what is the best secure shell to use;
> > and how can I set up the server to only accept telnet traffic
> > from certian IPs?
> >
> > When I discovered the event I had no choice but to http in
> > through the Cobalt admin page. (Interestingly this seems to be
> > in the clear too.) I was able to get into the admin panel with
> > the first password challange, then I went immediatly to change
> > the password and it wouldn't work. As if it was changed just as
> > I was about to change it myself.
> >
> > Yes I'm new to Linux and appreciate any help. Also what file
> > would I look at to see the telnet traffic maybe the guy didn't
> > cover his tracks and I could look for patterns in the ip
> > addresses.
> >
> > Thanks, John
