[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] IMPORTANT - POSSIBLE HACKS WITH PATCHES!!
- Subject: [cobalt-users] IMPORTANT - POSSIBLE HACKS WITH PATCHES!!
- From: "Craig Napier" <craignapier@xxxxxxxxxxx>
- Date: Thu Feb 15 00:00:57 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
What is port 60000..? Should I just remove this line and reboot the
box..? Just trying to figure out if it's compromised again.. even with all
the patches and updates installed *EVEN* before it was brought back
online..
Search the file /etc/services for the port.
I looked on my systems and can't find a port 60000
Looks suspicious!
I agree it looks suspicious, esp. after just coming back three days ago from
a hack. But I don't see this port anywhere in the services file, and I
haven't been able to really find anything else out of the ordinary *except*
those two strange files "isam" files.
/usr/bin/isamchk
/usr/bin/isamlog
I *think* these are tied to mySQL pkg I installed... (but I?m not sure)..
But if it has been compromised, there's an even bigger threat to the
Internet community besides just this BIND exploit... Prior to even being
hooked back up to the net, this box had the following installed:
portsentry
logcheck
IPChains
SSH2
a simple firewall
and ALL the Cobalt updates/patches...
I've just installed Tripwire and although it would have been best prior to
taking it live, if someone *DOES* get inside, now I'll be able to see/tell
what they?ve touched...
-Craig
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com