[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)

Subject: Re: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)
From: "PageKeeper Service" <host@xxxxxxxxxxxxxxxxxxxxx>
Date: Thu Mar 18 16:39:01 2004
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

----- Original Message -----
Sent: Thursday, March 18, 2004 5:52 PM
Subject: RE: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting
down)


> Hi,
>
> After the last few mails a couple of hours ago I was unable to reach the
> server (no mails, no ssh, no ftp, only a ping worked).
> So I just got back from the datacenter. Rebooting with the LCD panel
wasn't
> possible anymore. So I used the power button to reboot.
> Everything came back online so the first thing we did was to move those
> foreign files somewhere else for further checking.
> /home/tmp is symlinked to /tmp , so I guess they managed to upload their
> stuff through a php upload script one of the sites.
> They ran an undernet ircd and amech (file sharing or something ?). I found
> files of users, their pw and ip in the undernet folders.
> One
> We checked the processes, rebooted, checked if there were new files ,
> checked processes and nothing out of the usual.
> However I would really like to know :
> 1) which vhost/script was used to upload that crap and how can they exec
> tar -zxvf their *.gz files
> 2) Is it possible to run configure, makefile (needed for the undernet
> installation) without shell access (# last didn't show any unusual logins
> and no unusual users in /etc/passwd), e.g through a php script ?
> 3) As long as I don't find the reason , nothing will prevent them to do it
> again. What can I do to prevent this ? Can I send a mail to me every 15min
> with the a list of the contents of /tmp ? Anyone have a quick syntax for
> that please ?
>
> Thanks
> John
>

Your server has been invaided.
 I have one for the raq4 I wrote in perl been using for years. Might be more
than you need. Below is its output.

 Date - Time: Thursday, March 18, 2004 6:15:00 PM [Thu Mar 18 18:15:00 CST
2004]
Program Script Path: /root/checks/ls-tmp.pl
Directory Information Path: /home/tmp
List Directory Information:

total 3
drwxrwxrwt    3 root     root         1024 Mar 18 18:00 .
drwxr-xr-x   18 root     root         1024 Jan 24 01:48 ..
drwxrwxrwx    2 root     root         1024 Mar  1 06:20 .casp3000
srwxrwxrwx    1 postgres root            0 Mar  1 04:50 .s.PGSQL.5432
lrwxrwxrwx    1 root     root           22 Mar  1 04:50 mysql.sock ->
/home/mysql/mysql.sock

Directory Information Path:
/home/openwebmail/cgi-bin/openwebmail/etc/sessions
List Directory Information:

total 3
drwxrwx---    2 root     mail         2048 Mar 18 17:15 .
drwxr-xr-x    9 root     mail         1024 Mar 16 08:32 ..

EOF

  David Hahn
  PageKeeper Service
  http://www.pagekeeperservice.com

Follow-Ups:
- RE: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)
  - From: Crocket

References:
- RE: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)
  - From: Crocket

Prev by Date: Re: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)
Next by Date: RE: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)
Previous by thread: Re: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)
Next by thread: RE: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index