[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] FW: Raq 3 and Security issue
- Subject: [cobalt-users] FW: Raq 3 and Security issue
- From: "Wilkins, Jason" <jason.wilkins@xxxxxxxxxxxxxxxxxx>
- Date: Thu Feb 8 03:55:06 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> Hi all,
>
> Hope you do not mind me posting this?
>
> I have a leased raq3 from a company called UK2NET, they also have a
members list and there are alot of emails flowing around re our systems
being hacked!
>
> I was advise to do a listinf of a directory and if there were files
there then my server has been compromised.
>
> Can anyone offer any advice?
>
> if i do a ls-al of the directory /lib/security/.config i get....
>
> total 386
> drwxr-xr-x 5 root root 1024 Feb 8 09:27 .
> drwxr-xr-x 3 root root 1024 Feb 7 16:09 ..
> -rwxr-xr-x 1 root root 14755 Feb 7 16:09 ava
> drwxr-xr-x 2 root root 1024 Feb 7 16:09 backup
> drwxr-xr-x 2 root root 1024 Feb 7 16:09 bin
> -rwxr--r-- 1 root root 4032 Feb 7 16:09 cleaner
> -rwxr-xr-x 1 root root 3648 Feb 7 16:09 crypt
> -rwxr-xr-x 1 root root 60 Feb 7 16:09 instmod
> -rwxr-xr-x 1 root root 5192 Feb 7 16:09 lpsched
> -rw------- 1 root root 180703 Feb 7 16:13
nfs-utils-0.1.9.1-1.i386.rpm
> -rwxr-xr-x 1 root root 2780 Feb 7 16:09 patcher
> -rwxr-xr-x 1 root root 3216 Feb 7 16:09 pg
> -rwxr-xr-x 1 root root 8816 Feb 7 16:09 rcp
> -rw-r--r-- 1 root root 94 Feb 7 16:13 scan.log
> drwxr-xr-x 2 root root 1024 Feb 7 16:09 ssh
> -rwxr-xr-x 1 root root 96026 Feb 7 16:09 sshd
> -rwxr-xr-x 1 root root 1596 Feb 7 16:09 sz
> -rwxr-xr-x 1 root root 3052 Feb 7 16:09 utime
> -rwxr-xr-x 1 root root 55604 Feb 7 16:09 wget
>
> in additoin i did a cat on the file mfs and out comes a list of logon
times, usernames and passwords as below. please note i have changed the
usernames and passwords for security reasons.
>
> This is an extract only the file is a lot larger.
>
> ============================================================
> Time: Wed Feb 7 16:09:38 Size: 8
> Path: m234-mp1-cvx2b.ren.ntl.com => raq474.uk2net.com [110]
> ------------------------------------------------------------
>
> ============================================================
> Time: Wed Feb 7 16:11:08 Size: 8
> Path: 195.58.204.5 => raq463.uk2net.com [110]
> ------------------------------------------------------------
>
> ============================================================
> Time: Wed Feb 7 16:13:17 Size: 46
> Path: operandi.netcomuk.co.uk => ns.easywebhost.co.uk [110]
> ------------------------------------------------------------
> USER user1
> PASS password1
> STAT
> QUIT
>
> ============================================================
> Time: Wed Feb 7 16:13:23 Size: 51
> Path: operandi.netcomuk.co.uk => ns.easywebhost.co.uk [110]
> ------------------------------------------------------------
> USER user2
> PASS user2
> STAT
> QUIT
>
> ============================================================
> Time: Wed Feb 7 16:13:23 Size: 52
> Path: operandi.netcomuk.co.uk => ns.easywebhost.co.uk [110]
> ------------------------------------------------------------
> USER user3
> PASS password3
> STAT
> QUIT
>
>
> This file ists all usernames and password
>
> Please can anyone advise.
>
> 1. has my system been hacked or are the files normal?
>
> 2. what can i do to stop the hack ?
> i.e. is there a process running sending out these files?
>
>
> Thankyou
>
> Regards
> Jason
>