[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Trinoo DDoS server in init

Subject: RE: [cobalt-users] Trinoo DDoS server in init
From: "Tony" <isplists@xxxxxxxxxxxx>
Date: Thu Feb 15 01:02:03 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

+> I was hacked a few days ago, and it looks as though my
+/usr/sbin/init file
+> has been replaced with a version containing a Trinoo DDoS
+server. The init
+> file /sbin/init appears untouched however. Is /sbin/init the same file as
+> /usr/sbin/init, or are they different. If they are different, could
+someone
+> possibly attach a clean version to an e-mail or put it up on a web site
+etc?
+>
+
+
+
+[root@www /root]# ls -l /usr/sbin/init
+ls: /usr/sbin/init: No such file or directory
+
+[root@www /root]# ls -l /sbin/init
+-rwxr-xr-x   1 root     root        27176 Apr 25  2000 /sbin/init
+
+[root@www /root]# md5sum /sbin/init
+5a64a78a799ab2e0cc3c8a6f931ab2f4  /sbin/init  <== could someone
+else verify?
+
+
+other md5 checksums here:
+
+http://list.cobalt.com/pipermail/cobalt-users/2001-February/032902.html


Mine matches:

[root /sbin]# md5sum init
5a64a78a799ab2e0cc3c8a6f931ab2f4  init

The bogus init is at /usr/sbin

Looks like they also enabled samba.

*!GDMOFOS.

I would really like to see the scriptkiddies that are behind this have
everyone of their fingers chopped off with a pair of pruning shears.

Follow-Ups:
- Re: [cobalt-users] Trinoo DDoS server in init
  - From: Roger Dunk

References:
- Re: [cobalt-users] Trinoo DDoS server in init
  - From: inc

Prev by Date: Re: [cobalt-users] IMPORTANT - POSSIBLE HACKS WITH PATCHES!!
Next by Date: RE: [cobalt-users] Another Raq3 Hack
Previous by thread: Re: [cobalt-users] Trinoo DDoS server in init
Next by thread: Re: [cobalt-users] Trinoo DDoS server in init

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index