[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [[cobalt-users] Server Hacked?]

Subject: Re: [[cobalt-users] Server Hacked?]
From: "CobaltList" <CobaltList@xxxxxxxxxxx>
Date: Sun Feb 13 11:59:42 2000

Manuel,

Generally if your server has been compromised you have no way of knowing if
they have root access and what system files they may have changed.  Also log
everything you do as you investigate this problem, it might help in the
future.

The first thing I would do is make an exact duplicate of the hard drive for
legal purposes. Next change my root password on any other systems which have
the same password as the one you had hacked. Change the root password on the
hacked system to a totally different one from any others (passwd might have
been replaced and could give away the store).

Move all of the clients to a known clean box, changing their passwords to
strong passwords. If they have any cgi scripts which they have uploaded I
would also examine them to see what they do. I would deny them telnet access
unless they really, really, really needed it and could prove it. You can
debug 99.9% of cgi script problems with ftp and log files so that is not
proof enough.

Analyze the system to see what files they changed and what they did while in
your system.

See if you can figure out who it is, if so bring legal action against them,
if you can (not an attorney, so I suggest you talk to one).

Take the now useless box and format the hard drive and load the OS from a
know good source. I have been told that there is a CD available to do this.

If the above steps are out of your area of expertise hire someone who knows
what they are doing.

Hope this helps.

Roger
support@xxxxxxxxxxxxxxxxx
http://www.active-server.com



----- Original Message -----
From: manitu <manitu@xxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Sunday, February 13, 2000 10:18 AM
Subject: Re: [[cobalt-users] Server Hacked?]


> > I would guess it would, but I wouldn't do that and none of my users has
> > telnet access.
>
> I think granting telnet access sparingly could help improving security
(oh,
> it rhymes...).
>
> Is there a log which I can look at in order to see which of my customers
> (users) have ever logged in via telnet so that I only give telnet access
to
> them who really need it ?
>
> Manuel
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>

Follow-Ups:
- [cobalt-users] Re: 34 admin users?
  - From: darin
- Re: [[cobalt-users] Server Hacked?]
  - From: Richard E. Perlotto II
- Re: [[cobalt-users] Server Hacked?]
  - From: Jeff Lasman

References:
- RE: [[cobalt-users] Server Hacked?]
  - From: Dan
- Re: [[cobalt-users] Server Hacked?]
  - From: manitu

Prev by Date: [cobalt-users] Re: Admin FTP Issues for the Raq3
Next by Date: Re: [[cobalt-users] Server Hacked?]
Previous by thread: Re: [[cobalt-users] Server Hacked?]
Next by thread: [cobalt-users] Re: 34 admin users?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index