[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] CHkrootkit output
- Subject: Re: [cobalt-users] CHkrootkit output
- From: "PageKeeper Service" <host@xxxxxxxxxxxxxxxxxxxxx>
- Date: Sun Apr 18 11:38:01 2004
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Subject: Re: [cobalt-users] CHkrootkit output
> can i contact you directly somewhere david ??
Yes. Here at that number below in the sig right now
PageKeeper Service
1512 Deborah Road #102
Rio Rancho, New Mexico 87124 US
505-892-8723
http://www.pagekeeperservice.com
>
>
> Subject: Re: [cobalt-users] CHkrootkit output
>
>
> > > Subject: Re: [cobalt-users] CHkrootkit output
> > >
> > >
> > > > sounds like a Trojan of some sorts.
> > > > Can you see it running in top?
> > > >
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > Subject: Re: [cobalt-users] CHkrootkit output
> > > >
> > > >
> > > > > Subject: Re: [cobalt-users] CHkrootkit output
> > > > >
> > > > >
> > > > > > >
> > > > > > > I believe that machine has been hacked. Is cron doing weird
> stuff?
> > > > Other
> > > > > > > processes like devine?
> > > > > >
> > > > > >
> > > > > > And you conclusion is based on ??
> > > > > Seeing it first hand. Some notes..
> > > > > Cron will work. Tuning it off is the problem, a process called
> devine
> > > > > will popup usually once a day and stay running. Its nasty. Believe
> it
> > > can
> > > > > sniff the username and pw of clients
> > > > > isp logins besides the system passwords. They used a wget from the
> > > server
> > > > to
> > > > > download it from a free isp in europe.
> > > > > They entered through a script called phpnuke one time and cgi
> (forgot
> > > the
> > > > > name) on another raq4. Other than those
> > > > > notes it ran fine. It also searches files for cc numbers, email
> > > addresses
> > > > > and any ftp user connections from any scripts.
> > > > > Once I saw that, it went offline. A reboot usually starts the ball
> > > rolling
> > > > > if I remember right,
> > > > > then clients can be locked out of shell and ftp along with the
> admin.
> > > mods
> > > > > to the hosts.deny and allow files.
> > > > >
> > > > > > Cron is fully operational and normail.
> > > > > >
> > > > > > No strange processess
> > >
> > > Google T0rn Rootkit. I think that is part of the package that was
> > installed.
> > > I'll try to find my notes.
> >
> > BTW, Can anyone share the fix to keep the below out of chkrootkits
> output?
> >
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/MD5/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Quota/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Devel/Symdump/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Jcode/.packlist
> > /usr/lib/perl5/5.00503/i386-linux/.packlist
> >
> > or with the latest MySql,
> >
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/MD5/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Quota/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Devel/Symdump/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/DBI/.packlist
> >
>
/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Msql-Mysql-modules/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Jcode/.packlist
> > /usr/lib/perl5/5.00503/i386-linux/.packlist