[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] CHkrootkit output

Subject: Re: [cobalt-users] CHkrootkit output
From: "R. Hamburg .: HaVa Web- & Processdesign :." <user@xxxxxxx>
Date: Sun Apr 18 10:47:38 2004
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

nope
----- Original Message ----- 
From: "Ted" <ted@xxxxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Sunday, April 18, 2004 7:17 PM
Subject: Re: [cobalt-users] CHkrootkit output


> sounds like a Trojan of some sorts.
> Can you see it running in top?
>
>
>
>
> ----- Original Message ----- 
> From: "PageKeeper Service" <host@xxxxxxxxxxxxxxxxxxxxx>
> To: <cobalt-users@xxxxxxxxxxxxxxx>
> Sent: Sunday, April 18, 2004 10:57 AM
> Subject: Re: [cobalt-users] CHkrootkit output
>
>
> > Subject: Re: [cobalt-users] CHkrootkit output
> >
> >
> > > >
> > > > I believe that machine has been hacked. Is cron doing weird stuff?
> Other
> > > > processes like devine?
> > >
> > >
> > > And you conclusion is based on ??
> > Seeing it first hand. Some notes..
> > Cron will work. Tuning it off is the problem, a process called devine
> > will popup usually once a day and stay running. Its nasty. Believe it
can
> > sniff the username and pw of clients
> > isp logins besides the system passwords. They used a wget from the
server
> to
> > download it from a free isp in europe.
> > They entered through a script called phpnuke one time and cgi (forgot
the
> > name) on another raq4. Other than those
> > notes it ran fine. It also searches files for cc numbers, email
addresses
> > and any ftp user connections from any scripts.
> > Once I saw that, it went offline. A reboot usually starts the ball
rolling
> > if I remember right,
> > then clients can be locked out of shell and ftp along with the admin.
mods
> > to the hosts.deny and allow files.
> >
> > > Cron is fully operational and normail.
> > >
> > > No strange processess
> >
> >   David Hahn
> >   PageKeeper Service
> >   1512 Deborah Road #102
> >   Rio Rancho, New Mexico 87124 US
> >   505-892-8723
> >   http://www.pagekeeperservice.com
> >
> >
> > _____________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
> >
>
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>

References:
- [cobalt-users] Virus Scanner and Spam Filter for RAQ3 Server
  - From: Giby P
- Re: [cobalt-users] CHkrootkit output
  - From: William J.A. Brillinger
- Re: [cobalt-users] CHkrootkit output
  - From: R. Hamburg .: HaVa Web- & Processdesign :.
- Re: [cobalt-users] CHkrootkit output
  - From: PageKeeper Service
- Re: [cobalt-users] CHkrootkit output
  - From: R. Hamburg .: HaVa Web- & Processdesign :.
- Re: [cobalt-users] CHkrootkit output
  - From: PageKeeper Service
- Re: [cobalt-users] CHkrootkit output
  - From: Ted

Prev by Date: Re: [cobalt-users] CHkrootkit output
Next by Date: Re: [cobalt-users] CHkrootkit output
Previous by thread: Re: [cobalt-users] CHkrootkit output
Next by thread: Re: [cobalt-users] CHkrootkit output

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index