[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Howto trace hack [SCANNED]

Subject: RE: [cobalt-users] Howto trace hack [SCANNED]
From: "Crocket" <crocket@xxxxxxxxxxx>
Date: Fri Mar 19 12:07:00 2004
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

I was changing something in a httpd conf file and restarted the httpd but
none of the sites were showing so I checked top.
It came to my attention that there were processes running that shouldn't be
running :

root       777     1  0 Mar18 ?        00:00:02 /usr/sbin/httpd.admsrv -f
/etc/a
httpd    10725     1  0 15:53 ?        00:00:00 ./kik sh -i ./LegendBind
httpd    10726     1  0 15:53 ?        00:00:00 sh -i
httpd    10727 10726  0 15:53 ?        00:00:00 [LegendBind <defunct>]
httpd    10728 10725  0 15:53 ?        00:00:00 [kik <defunct>]
httpd    10733     1  0 15:53 ?        00:00:00 sh -i
httpd    10749     1  0 15:53 ?        00:00:00 ./kik sh -i ./LegendBind
httpd    10750     1  0 15:53 ?        00:00:00 sh -i
httpd    10751 10750  0 15:53 ?        00:00:00 [LegendBind <defunct>]
httpd    10752 10749  0 15:53 ?        00:00:00 [kik <defunct>]
httpd    10767     1  0 15:53 ?        00:00:00 ./kik sh -i ./LegendBind
httpd    10768     1  0 15:53 ?        00:00:00 sh -i
httpd    10769 10768  0 15:53 ?        00:00:00 [LegendBind <defunct>]
httpd    10770 10767  0 15:53 ?        00:00:00 [kik <defunct>]
httpd    11670   777  0 16:02 ?        00:00:02 /usr/sbin/httpd.admsrv -f
/etc/a
httpd    11687   777  0 16:02 ?        00:00:02 /usr/sbin/httpd.admsrv -f
/etc/a
httpd    11708   777  0 16:02 ?        00:00:01 /usr/sbin/httpd.admsrv -f
/etc/a

So I located "kik" and it was found in /home/spool/samba with other crap.
This is what they were able to do today when the modules were still there,
just before I noticed the new attempt.
I removed the crap files and did a killall -9 kik, a killall -9 httpd and
restarted the webserver.
The htppd is up and running again and so are the sites (without that gallery
module)

The only worry I have now are those 3 processes that run under httpd
httpd    11670   777  0 16:02 ?        00:00:02 /usr/sbin/httpd.admsrv -f
/etc/a
httpd    11687   777  0 16:02 ?        00:00:02 /usr/sbin/httpd.admsrv -f
/etc/a
httpd    11708   777  0 16:02 ?        00:00:01 /usr/sbin/httpd.admsrv -f
/etc/a

Shouldn't this run under root like the first one ???
root       777     1  0 Mar18 ?        00:00:02 /usr/sbin/httpd.admsrv -f
/etc/a

Can I kill those 3 ?

PS: I filed a complaint through www.ifccfbi.gov giving all the details of
the hackers (Jacksonville, FLA) and exploit.




-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Dave's List Addy
Sent: vrijdag 19 maart 2004 18:31
To: Users
Subject: Re: [cobalt-users] Howto trace hack [SCANNED]


On 3/19/04 10:59 AM, "Crocket" wrote:

> If not I will remove those modules from the sites and warn my customers.

Crocket, remove that module, or hit the PHPNuke site and see if they have a
fix. Or turn off the feature that allows a visitor to upload into that
module.
--
Thanks!!
David Thurman
List Only at Web Presence Group Net


_____________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

Follow-Ups:
- [cobalt-users] Re: [cobalt-users]OT: How-to trace hack> Reporting Abuse
  - From: Dave's List Addy

References:
- Re: [cobalt-users] Howto trace hack [SCANNED]
  - From: Dave's List Addy

Prev by Date: RE: [cobalt-users] ie problem??
Next by Date: [cobalt-users] Re: [cobalt-users]OT: How-to trace hack> Reporting Abuse
Previous by thread: RE: [cobalt-users] ie problem??
Next by thread: [cobalt-users] Re: [cobalt-users]OT: How-to trace hack> Reporting Abuse

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index