RE: [cobalt-developers] Outbound Port Scan

["Mike Rice" <mike@xxxxxxxxxxxxx>]

You may have been hacked.  Search the hard drive for a file called
Masscanner I think.  You have probably been rooted, meaning a hacker
used a known exploit to gain root access to your server.  Embarrassed
to say it, but it happened to me.  You may be spending the night to
rebuild the server.  If you have been running backups it's probably
not too bad.
If not, turn off the server, take out the hard drive, get another
Linux machine up and running.  Install Raq hard drive.  Mount the HD,
Copy all the files under /home/sites to a folder on the new Linux
box. Install the hard drive back in the Raq and reinstall the Cobalt
OS.  Use the links under /home/sites to rebuild all the sites in the
order specified.
Do some more research, you may not have been hacked.  But that's what
happened to me.  The hacker got root access, used a port scanner to
scan the Australian CERT.  Oh it was a fun weekend.
Enjoy
Mike, email me if you have any questions.

---- Original Message ----
From: raq@xxxxxxxxxxxxx
To: cobalt-developers@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-developers] Outbound Port Scan
Date: Fri, 18 Jul 2003 07:19:13 -0700

>We have had inbound port scans, but this is the first outbound I have
>received.
>
>How does an outbound happen?  This machine hosts only our web sites.
>
>            Timestamp:  Fri 18 Jul 2003 04:04:11 AM PDT
>           Alert Type:  Port Scan Detected
>            Interface:  eth0
>             Protocol:  tcp
>  Packet Size (bytes):  40
>
>       Source Address:  xxx.xxx.xxx.xxx
>          Source port:  445
>            Direction:  outbound
>  Destination Address:  140.109.34.14
>     Destination Port:  3519
>
>            Log Entry:  eth0:portscan: tcp xxx.xxx.xxx.xxx/445 -> 
>140.109.34.14/3519 40 rst (16)
>
>_______________________________________________
>cobalt-developers mailing list
>cobalt-developers@xxxxxxxxxxxxxxx
>http://list.cobalt.com/mailman/listinfo/cobalt-developers