HPE Community
Appliance Servers
1858171 Members
7407 Online
110385 Solutions
New Discussion

Root exploit on SA1100 Appliance

 
Craig Jungers
Occasional Advisor

‎01-14-2003 03:29 PM

‎01-14-2003 03:29 PM

Root exploit on SA1100 Appliance

Our SA1100, which homes some domains for our ISP, got rooted via an exploit for the version of ssh that is running on the box. The 1100 notifications worked and told us there was a problem, we found that several critical files were changed (ps, login, top, and others). We closed off the box at the border router (Cisco access lists) and tried to restore all these altered utilities but ended up just doing a complete restore from backups made the previous week. Fortunately the cracker did not realize that the files in /emergency were there or he would have modified those too. We were also fortunate in that our backups were copied to a network backup server and were available.

The moral of this story is to keep good backups somewhere other than on your SA1100 and to NOT run ssh!!! (Or upgrade ssh to a newer version.) I now recommend leaving both telnet and ssh off and turning them on if needed at the web admin page.

Also, the SA1100 backups of domains and email does not restore the users in /etc/passwd. There may be copies of that somewhere but I didn't find them in the time available.

This may be a dupe message as the first one disappeared. If it is, I apologize.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.