my raq3 with 4webspace was hacked and almost all the passwords and almost all the index.html files has been changed to the one with the message :

Powered by H.U.C(c0011i0n).-----1i0n Crew

i was in the process of installing the patches ... but too late i suppose :(

those of you using raq3 and haven't install the patches yet, please do it RIGHT NOW!!! its all at
http://www.cobalt.com/support/download/raq3.eng.html

one questions ... if we installed the lastest patches and keep it up-to-date ... is it possible that our raq3 being hacked once again?

A 'root-kit' may have been installed. You should check to see if any other binaries have been changed, etc. For the paranoid, only a re-install will suffice.


one questions ... if we installed the lastest patches and keep it up-to-date ... is it possible that our raq3 being hacked once again?


Anything is possible. But if you've installed the patches, you shouldn't be hacked by the same attack again.

Once an exploit is made public ..some people will scan the net looking for a target to play with.

i have to pay $100 to restore my raq3, i will install the patches as soon as possible and hopefully that will somehow block the hackers :(

Noti,

Whose DNS server did you use, 4webspace or your own?
I've inquired from them before and I was informed that
it was their policy to require you to use their DNS
server specifically to avoid any exploits.

If you were using their DNS server, how would it be
possible that your RAQ was compromised? Unless of
course your were using your own.

Mivo

I think he is not using his...

He just never update any patch until he got hacked. There are many exploits fixed by the released patches, so not updating them frequently is a bad idea.

Originally posted by Mivo
Whose DNS server did you use, 4webspace or your own?
I've inquired from them before and I was informed that
it was their policy to require you to use their DNS
server specifically to avoid any exploits.

If you were using their DNS server, how would it be
possible that your RAQ was compromised? Unless of
course your were using your own.


In addition to not using your own DNS, you also have to turn the DNS service off from your control panel.

yup, i am not using my own DNS and didn't have the DNS on. but the problem is that i never update the patches :(

by the way, if i have installed the lastest patches and keep it up-to-date and using my own DNS, is it possible for the hackers to hack into my server once again?

Yes it is... But the chances are quite low. Cos the patches are built to fixed those known exploits... And it will lesser than known exploits until new ones arrise.

Originally posted by noti
yup, i am not using my own DNS and didn't have the DNS on. but the problem is that i never update the patches :(



I am still confused why you were hit by the LION virus since you were not running DNS yourself and your DNS server was off. The Lion virus hits the BIND program (version 8.2.2) that runs the DNS server and this is what 4webspace have tried to avoid by not allowing their customers to run their own DNS server.

Even if you have not updated your Bind to version 8.2.3, you should have not been hit by the virus because you were not running the program. I think you should ask 4webspace why this has happened to you.

Mivo,

i think i must have somehow enable dns on my server then ... i have installed all the pastches at http://www.cobalt.com/support/download/raq3.eng.html except for the chilisoft ones and the POP Before SMTP Relaying 4.0.7.

by the way, what version is the BIND patch on the page i stated above? and is the above page the lastest update of patches?(i plan to visit that page daily so have to make sure :))

thanks in advance for your help :)

Yes, the latest update of Bind is version 8.2.3 and it's what on the Cobalt updates page. You may also want to monitor security bulletins at: http://www.sans.org/current.htm. Cobalt sometimes take a looong time to issue patches for known exploits. The bind exploit was already known by January and Cobalt only issued a patch by February 9th. BTW my RAQ3 server was also hit by the Lion virus February 12th. :-(

You may also want to join the Cobalt mailing list (found on the cobalt.com).