[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Raq 3 and Security issue
- Subject: [cobalt-users] Raq 3 and Security issue
- From: "Wilkins, Jason" <jason.wilkins@xxxxxxxxxxxxxxxxxx>
- Date: Thu Feb 8 03:16:01 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hi all,
Hope you do not mind me posting this?
I have a leased raq3 from a company called UK2NET, they also have a
members list and there are alot of emails flowing around re our systems
being hacked!
I was advise to do a listinf of a directory and if there were files
there then my server has been compromised.
Can anyone offer any advice?
if i do a ls-al of the directory /lib/security/.config i get....
total 386
drwxr-xr-x 5 root root 1024 Feb 8 09:27 .
drwxr-xr-x 3 root root 1024 Feb 7 16:09 ..
-rwxr-xr-x 1 root root 14755 Feb 7 16:09 ava
drwxr-xr-x 2 root root 1024 Feb 7 16:09 backup
drwxr-xr-x 2 root root 1024 Feb 7 16:09 bin
-rwxr--r-- 1 root root 4032 Feb 7 16:09 cleaner
-rwxr-xr-x 1 root root 3648 Feb 7 16:09 crypt
-rwxr-xr-x 1 root root 60 Feb 7 16:09 instmod
-rwxr-xr-x 1 root root 5192 Feb 7 16:09 lpsched
-rw------- 1 root root 180703 Feb 7 16:13
nfs-utils-0.1.9.1-1.i386.rpm
-rwxr-xr-x 1 root root 2780 Feb 7 16:09 patcher
-rwxr-xr-x 1 root root 3216 Feb 7 16:09 pg
-rwxr-xr-x 1 root root 8816 Feb 7 16:09 rcp
-rw-r--r-- 1 root root 94 Feb 7 16:13 scan.log
drwxr-xr-x 2 root root 1024 Feb 7 16:09 ssh
-rwxr-xr-x 1 root root 96026 Feb 7 16:09 sshd
-rwxr-xr-x 1 root root 1596 Feb 7 16:09 sz
-rwxr-xr-x 1 root root 3052 Feb 7 16:09 utime
-rwxr-xr-x 1 root root 55604 Feb 7 16:09 wget
in additoin i did a cat on the file mfs and out comes a list of logon
times, usernames and passwords as below. please note i have changed the
usernames and passwords for security reasons.
This is an extract only the file is a lot larger.
============================================================
Time: Wed Feb 7 16:09:38 Size: 8
Path: m234-mp1-cvx2b.ren.ntl.com => raq474.uk2net.com [110]
------------------------------------------------------------
============================================================
Time: Wed Feb 7 16:11:08 Size: 8
Path: 195.58.204.5 => raq463.uk2net.com [110]
------------------------------------------------------------
============================================================
Time: Wed Feb 7 16:13:17 Size: 46
Path: operandi.netcomuk.co.uk => ns.easywebhost.co.uk [110]
------------------------------------------------------------
USER user1
PASS password1
STAT
QUIT
============================================================
Time: Wed Feb 7 16:13:23 Size: 51
Path: operandi.netcomuk.co.uk => ns.easywebhost.co.uk [110]
------------------------------------------------------------
USER user2
PASS user2
STAT
QUIT
============================================================
Time: Wed Feb 7 16:13:23 Size: 52
Path: operandi.netcomuk.co.uk => ns.easywebhost.co.uk [110]
------------------------------------------------------------
USER user3
PASS password3
STAT
QUIT
This file ists all usernames and password
Please can anyone advise.
1. has my system been hacked or are the files normal?
2. what can i do to stop the hack ?
i.e. is there a process running sending out these files?
Thankyou
Regards
Jason