[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)
- Subject: RE: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)
- From: "Crocket" <crocket@xxxxxxxxxxx>
- Date: Thu Mar 18 16:55:01 2004
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Well the did put it in both hidden and normal folders /tmp/.amech and
/tmp/.src but we found those too.
I'll check the sites of my customers for gallery. I think one or two use it.
Thanks
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Thom R. Lacosta
Sent: vrijdag 19 maart 2004 1:43
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting
down)
On Fri, 19 Mar 2004, Crocket wrote:
> 1) which vhost/script was used to upload that crap and how can they exec
> tar -zxvf their *.gz files
> 2) Is it possible to run configure, makefile (needed for the undernet
> installation) without shell access (# last didn't show any unusual logins
> and no unusual users in /etc/passwd), e.g through a php script ?
Some older versions of PHP Galley and PHPdig had recently announced
exploits that allow root access.
Once they get in that way, they can install the IRC stuff. Check the
.bash_history file. You're lucky they didn't put the stuff into hidden
directories.
Thom
http://www.baltimorehon.com/ Home of the Baltimore Lexicon
_____________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users