[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] CHkrootkit output
- Subject: Re: [cobalt-users] CHkrootkit output
- From: "PageKeeper Service" <host@xxxxxxxxxxxxxxxxxxxxx>
- Date: Sun Apr 18 09:57:01 2004
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Subject: Re: [cobalt-users] CHkrootkit output
> >
> > I believe that machine has been hacked. Is cron doing weird stuff? Other
> > processes like devine?
>
>
> And you conclusion is based on ??
Seeing it first hand. Some notes..
Cron will work. Tuning it off is the problem, a process called devine
will popup usually once a day and stay running. Its nasty. Believe it can
sniff the username and pw of clients
isp logins besides the system passwords. They used a wget from the server to
download it from a free isp in europe.
They entered through a script called phpnuke one time and cgi (forgot the
name) on another raq4. Other than those
notes it ran fine. It also searches files for cc numbers, email addresses
and any ftp user connections from any scripts.
Once I saw that, it went offline. A reboot usually starts the ball rolling
if I remember right,
then clients can be locked out of shell and ftp along with the admin. mods
to the hosts.deny and allow files.
> Cron is fully operational and normail.
>
> No strange processess
David Hahn
PageKeeper Service
1512 Deborah Road #102
Rio Rancho, New Mexico 87124 US
505-892-8723
http://www.pagekeeperservice.com