[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Been Hacked - WAS: Bad Data in /var/run/utmp

Subject: Re: [cobalt-users] Been Hacked - WAS: Bad Data in /var/run/utmp
From: Joi <joi@xxxxxxxx>
Date: Sat Feb 10 17:17:55 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

At 05:59 PM 2/10/01 -0500, you wrote:

<SNIP>

patch listed on the Cobalt web site... Yesterday I started havingstrangeness when doing a "ps aux"... Everything was sorted by USERIDinstead of by PID <as usual>. Then when trying to do a top, I recv'd "BadData in /var/run/utmp"...So this morning I got on line with Cobalt, and flipped on Telnet to givethem access and discovered you couldn't connect via Telenet --OR-- FTP...(But I could still get in via SSH2)... She said something about once theyget in, they span the SSH daemon to get other connections <??>.. The onlyother difference I could find between this comprised box and my other twoin operation... Under /var/run/ - the comprimed box had a strange syslogfile... The two *uncomprised boxes run:
/var/run/syslogd.pid

But on the comprised box it was:

/var/run/syslog.pid

Last week, I had the same exact symptoms. Web pages served up nicely asper usual, but no POP, Telnet, or FTP connections were beingaccepted. Today, I looked at /var/run/ and saw a syslogd.pid dated (when Iwas able to boot the server and regain my lost services). I did a ps -auxand found the same thing: Instead of being listed by PID as usual,everything was listed by user.

I won't even think about anything but a full wipe and OS restall.. But Itell you what.. when IPchains goes in this time, I'm putting up one MEANFIREWALL that let's NO ONE in that box except via FTP <over SSH2> and WWWports.... I'm sure I'll be running my firewall rules by the list in thecoming day or so for any input on their config..

Unfortunately, with the number of customers I have on this box, wiping thedrive and reinstalling everything (not to mention getting all the domains,sites, and users back in working order) would require more downtime thanI'm interested in having.

I have all my patches in place (I'm on a RAQ2) and I've looked through allthe standard logs, etc. Is there anything specific I can look for to makesure someone's not running amok on my box? Any other unusual things anyoneelse has found on their RAQ lately?


Joe Colburn


-------------------------------------------------------------------------------------------------------------------------------

Free web space and email, profiles, postcards, auctions, etc:http://www.GotBlack.com

Follow-Ups:
- RE: [cobalt-users] Been Hacked - WAS: Bad Data in /var/run/utmp
  - From: Charlie H.

References:
- [cobalt-users] Been Hacked - WAS: Bad Data in /var/run/utmp
  - From: Craig Napier

Prev by Date: [cobalt-users] OS Restore Hangs at Loading Kernel
Next by Date: [cobalt-users] Cobalt Care PaQ
Previous by thread: [cobalt-users] Been Hacked - WAS: Bad Data in /var/run/utmp
Next by thread: RE: [cobalt-users] Been Hacked - WAS: Bad Data in /var/run/utmp

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index