[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Raq550: SMTP shutting down
- Subject: RE: [cobalt-users] Raq550: SMTP shutting down
- From: "Crocket" <crocket@xxxxxxxxxxx>
- Date: Thu Mar 18 09:34:00 2004
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
The folder Legendport contains 3 files infected with the Linux.RST.B virus .
Please advise
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Crocket
Sent: donderdag 18 maart 2004 18:29
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] Raq550: SMTP shutting down
Dang, it's in /home/tmp
[root tmp]# ls -l
total 3892
-rw-r--r-- 1 httpd httpd 379849 Feb 5 13:12 amech.tgz
-rw-r--r-- 1 httpd httpd 856405 Mar 10 14:08 bot.tgz
-rw-r--r-- 1 httpd httpd 856405 Mar 10 14:08 bot.tgz.1
-rw-r--r-- 1 httpd httpd 856405 Mar 10 14:08 bot.tgz.2
-rw------- 1 root root 49 Mar 18 17:58 ClamAVBusy.lock
-rw-r--r-- 1 httpd httpd 43 Mar 18 16:18 cmdtemp
drwxr-xr-x 2 root root 6 Dec 22 10:28 dbmtest.26876
drwxr-xr-x 2 root root 6 Dec 22 10:34 dbmtest.27203
drwxr-xr-x 2 root root 6 Dec 21 23:44 dbmtest.32482
-rwxr-xr-x 1 httpd httpd 476847 Mar 18 16:36 I
-rw-r--r-- 1 httpd httpd 31287 Mar 18 16:52 index.html
drwxr-xr-x 2 httpd httpd 45 Mar 18 16:18 LegendPort
-rw-r--r-- 1 httpd httpd 20303 Feb 5 08:42 LegendPort.tgz
-rw-r--r-- 1 httpd httpd 20303 Feb 5 08:42 LegendPort.tgz.1
-rw-r--r-- 1 httpd httpd 20303 Feb 5 08:42 LegendPort.tgz.2
-rw-r--r-- 1 httpd httpd 20303 Feb 5 08:42 LegendPort.tgz.3
-rw-r--r-- 1 httpd httpd 20303 Feb 5 08:42 LegendPort.tgz.4
-rw-r--r-- 1 httpd httpd 20303 Feb 5 08:42 LegendPort.tgz.5
-rw-r--r-- 1 httpd httpd 20303 Feb 5 08:42 LegendPort.tgz.6
-rw-r--r-- 1 httpd httpd 20303 Feb 5 08:42 LegendPort.tgz.7
-rw-r--r-- 1 httpd httpd 20303 Feb 5 08:42 LegendPort.tgz.8
-rw-r--r-- 1 httpd httpd 20303 Feb 5 08:42 LegendPort.tgz.9
drwxr-xr-x 2 httpd httpd 6 Feb 19 23:23 paletteStatus
-rw------- 1 httpd httpd 158689 Mar 11 04:02 phpAja8f9
-rw------- 1 httpd httpd 387 Mar 18 15:59
sess_05629467318cd838bb21cf52d8ab8cbf
-rw------- 1 httpd httpd 387 Mar 18 16:18
sess_fb020d945831fc06b2472e85be647076
-rw------- 1 httpd httpd 517 Mar 18 16:32
sess_fd686a00a408f89be115bceddb21ea6b
-rw------- 1 httpd httpd 387 Mar 18 17:11
sess_fecf1e0917f8518fdcb02655f6dc8c89
... a bunch of sessionfiles ...
drwx------ 4 httpd httpd 4096 Mar 17 15:03 shit
-rwxr-xr-x 1 httpd httpd 15780 Mar 4 02:48 undernet
-rw-r--r-- 1 httpd httpd 6227 Mar 3 19:40 undernet.tgz
There's alot of crap that's not supposed to be there.
Anyway to find out from where they were able to upload it? httpd access log
?
I suppose it's upped through some php form right?
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Dmitry Alexeyev
Sent: donderdag 18 maart 2004 17:34
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] Raq550: SMTP shutting down
> Almost 94% used by a certain command. What is this "undernet" command
> about? The only undernet I know is the IRC channel...
Maybe it's IRC bot?
Anyways, do
# find /home/sites -name undernet
You probably have a visitor.
>
> 19379 httpd 19 0 472 472 400 R 0 93.9 0.0 7:31
> undernet A few minutes afer that the server is back 85% idle ....
_____________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users
_____________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users