[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Trinoo DDoS server in init

Subject: Re: [cobalt-users] Trinoo DDoS server in init
From: "Roger Dunk" <roger@xxxxxxxxx>
Date: Thu Feb 15 02:51:03 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Great, thanks guys. I removed /usr/sbin/init and that solved that problem.
However now I wonder from which script the /usr/sbin/init file was being
called. I've gone through all the scripts in /etc/rc.d and can't find
anything. However I did notice the file dates on /etc/rc.d/init.d/tmpinit
and arkeia have been changed. Does anyone have the correct copies of these
files available? Lastly, all files in /lib/security have their file dates
changed. Are the files in /lib/security part of an rpm or package I can
download and reinstall?

Ohh yeah, and I would like to second that notion of chopping their fingers
off!

Thanks again,
Roger

----- Original Message -----
From: "Tony" <isplists@xxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Thursday, February 15, 2001 7:47 PM
Subject: RE: [cobalt-users] Trinoo DDoS server in init


>
> +> I was hacked a few days ago, and it looks as though my
> +/usr/sbin/init file
> +> has been replaced with a version containing a Trinoo DDoS
> +server. The init
> +> file /sbin/init appears untouched however. Is /sbin/init the same file
as
> +> /usr/sbin/init, or are they different. If they are different, could
> +someone
> +> possibly attach a clean version to an e-mail or put it up on a web site
> +etc?
> +>
> +
> +
> +
> +[root@www /root]# ls -l /usr/sbin/init
> +ls: /usr/sbin/init: No such file or directory
> +
> +[root@www /root]# ls -l /sbin/init
> +-rwxr-xr-x   1 root     root        27176 Apr 25  2000 /sbin/init
> +
> +[root@www /root]# md5sum /sbin/init
> +5a64a78a799ab2e0cc3c8a6f931ab2f4  /sbin/init  <== could someone
> +else verify?
> +
> +
> +other md5 checksums here:
> +
> +http://list.cobalt.com/pipermail/cobalt-users/2001-February/032902.html
>
>
> Mine matches:
>
> [root /sbin]# md5sum init
> 5a64a78a799ab2e0cc3c8a6f931ab2f4  init
>
> The bogus init is at /usr/sbin
>
> Looks like they also enabled samba.
>
> *!GDMOFOS.
>
> I would really like to see the scriptkiddies that are behind this have
> everyone of their fingers chopped off with a pair of pruning shears.
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>

Follow-Ups:
- Re: [cobalt-users] Trinoo DDoS server in init
  - From: flash22

References:
- RE: [cobalt-users] Trinoo DDoS server in init
  - From: Tony

Prev by Date: RE: [cobalt-users] "isamchk" and "isamlog" files in /usr/bin
Next by Date: [cobalt-users] another cobalt hacked... looking for things to check.
Previous by thread: RE: [cobalt-users] Trinoo DDoS server in init
Next by thread: Re: [cobalt-users] Trinoo DDoS server in init

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index