[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Raq550: SMTP shutting down

Subject: Re: [cobalt-users] Raq550: SMTP shutting down
From: Willem Koster <W.Koster@xxxxxxxxx>
Date: Fri May 7 05:10:06 2004
Organization: RC ICT RuG
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Crocket wrote:

> The folder Legendport contains 3 files infected with the Linux.RST.B virus .
> Please advise 

Do a clean reinstall from the recovery CD
reinstall all patches (but do NOT connect to the network unless you're protected by a firewall which only allows acces to the patch-server)
severely secure system (policies & a firewall ofcourse)
restore all data files
check all files for virus / trojans / backdoors (using clamav)
go back online.

installing an intrusion detection system might warn you earlier. chkrootkit is also nice to run once you think something might be wrong.

Succes
(been there, done that)

 
> -----Original Message-----
> From: cobalt-users-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Crocket
> Sent: donderdag 18 maart 2004 18:29
> To: cobalt-users@xxxxxxxxxxxxxxx
> Subject: RE: [cobalt-users] Raq550: SMTP shutting down
> 
> 
> Dang, it's in /home/tmp
> 
> [root tmp]# ls -l
> total 3892
> -rw-r--r--    1 httpd    httpd      379849 Feb  5 13:12 amech.tgz
> -rw-r--r--    1 httpd    httpd      856405 Mar 10 14:08 bot.tgz
> -rw-r--r--    1 httpd    httpd      856405 Mar 10 14:08 bot.tgz.1
> -rw-r--r--    1 httpd    httpd      856405 Mar 10 14:08 bot.tgz.2
> -rw-------    1 root     root           49 Mar 18 17:58 ClamAVBusy.lock
> -rw-r--r--    1 httpd    httpd          43 Mar 18 16:18 cmdtemp
> drwxr-xr-x    2 root     root            6 Dec 22 10:28 dbmtest.26876
> drwxr-xr-x    2 root     root            6 Dec 22 10:34 dbmtest.27203
> drwxr-xr-x    2 root     root            6 Dec 21 23:44 dbmtest.32482
> -rwxr-xr-x    1 httpd    httpd      476847 Mar 18 16:36 I
> -rw-r--r--    1 httpd    httpd       31287 Mar 18 16:52 index.html
> drwxr-xr-x    2 httpd    httpd          45 Mar 18 16:18 LegendPort
> -rw-r--r--    1 httpd    httpd       20303 Feb  5 08:42 LegendPort.tgz
> -rw-r--r--    1 httpd    httpd       20303 Feb  5 08:42 LegendPort.tgz.1
> -rw-r--r--    1 httpd    httpd       20303 Feb  5 08:42 LegendPort.tgz.2
> -rw-r--r--    1 httpd    httpd       20303 Feb  5 08:42 LegendPort.tgz.3
> -rw-r--r--    1 httpd    httpd       20303 Feb  5 08:42 LegendPort.tgz.4
> -rw-r--r--    1 httpd    httpd       20303 Feb  5 08:42 LegendPort.tgz.5
> -rw-r--r--    1 httpd    httpd       20303 Feb  5 08:42 LegendPort.tgz.6
> -rw-r--r--    1 httpd    httpd       20303 Feb  5 08:42 LegendPort.tgz.7
> -rw-r--r--    1 httpd    httpd       20303 Feb  5 08:42 LegendPort.tgz.8
> -rw-r--r--    1 httpd    httpd       20303 Feb  5 08:42 LegendPort.tgz.9
> drwxr-xr-x    2 httpd    httpd           6 Feb 19 23:23 paletteStatus
> -rw-------    1 httpd    httpd      158689 Mar 11 04:02 phpAja8f9
> -rw-------    1 httpd    httpd         387 Mar 18 15:59
> sess_05629467318cd838bb21cf52d8ab8cbf
> -rw-------    1 httpd    httpd         387 Mar 18 16:18
> sess_fb020d945831fc06b2472e85be647076
> -rw-------    1 httpd    httpd         517 Mar 18 16:32
> sess_fd686a00a408f89be115bceddb21ea6b
> -rw-------    1 httpd    httpd         387 Mar 18 17:11
> sess_fecf1e0917f8518fdcb02655f6dc8c89
> ... a bunch of sessionfiles ...
> drwx------    4 httpd    httpd        4096 Mar 17 15:03 shit
> -rwxr-xr-x    1 httpd    httpd       15780 Mar  4 02:48 undernet
> -rw-r--r--    1 httpd    httpd        6227 Mar  3 19:40 undernet.tgz
> 
> There's alot of crap that's not supposed to be there.
> Anyway to find out from where they were able to upload it? httpd access log
> ?
> I suppose it's upped through some php form right?
> 
> 
> 
> -----Original Message-----
> From: cobalt-users-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Dmitry Alexeyev
> Sent: donderdag 18 maart 2004 17:34
> To: cobalt-users@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-users] Raq550: SMTP shutting down
> 
> 
> 
> > Almost 94% used by a certain command. What is this "undernet" command
> > about? The only undernet I know is the IRC channel...
> 
> Maybe it's IRC bot?
> Anyways, do
> # find /home/sites -name undernet
> 
> You probably have a visitor.
> 
> 
> >
> > 19379 httpd     19   0   472  472   400 R       0 93.9  0.0   7:31
> > undernet A few minutes afer that the server is back 85% idle ....
> 
> 
> 
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
> 
> 
> 
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
> 
> 
> 
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users

References:
- RE: [cobalt-users] Raq550: SMTP shutting down
  - From: Crocket
- RE: [cobalt-users] Raq550: SMTP shutting down
  - From: Crocket

Prev by Date: Re: [cobalt-users] Large number of recipients in one mail
Next by Date: Re: [cobalt-users] New Cobalt Product line on the horizon?
Previous by thread: RE: [cobalt-users] Raq550: SMTP shutting down
Next by thread: Re: [cobalt-users] Raq550: SMTP shutting down [SCANNED]

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index