[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)
- Subject: RE: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)
- From: "Crocket" <crocket@xxxxxxxxxxx>
- Date: Thu Mar 18 15:46:00 2004
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Hi,
After the last few mails a couple of hours ago I was unable to reach the
server (no mails, no ssh, no ftp, only a ping worked).
So I just got back from the datacenter. Rebooting with the LCD panel wasn't
possible anymore. So I used the power button to reboot.
Everything came back online so the first thing we did was to move those
foreign files somewhere else for further checking.
/home/tmp is symlinked to /tmp , so I guess they managed to upload their
stuff through a php upload script one of the sites.
They ran an undernet ircd and amech (file sharing or something ?). I found
files of users, their pw and ip in the undernet folders.
One
We checked the processes, rebooted, checked if there were new files ,
checked processes and nothing out of the usual.
However I would really like to know :
1) which vhost/script was used to upload that crap and how can they exec
tar -zxvf their *.gz files
2) Is it possible to run configure, makefile (needed for the undernet
installation) without shell access (# last didn't show any unusual logins
and no unusual users in /etc/passwd), e.g through a php script ?
3) As long as I don't find the reason , nothing will prevent them to do it
again. What can I do to prevent this ? Can I send a mail to me every 15min
with the a list of the contents of /tmp ? Anyone have a quick syntax for
that please ?
Thanks
John