[cobalt-users] Interface Promiscuous Mode and FTP Hacks

["Craig Napier" <craignapier@xxxxxxxxxxx>]

With chkrootkit I get a message that each of my eth are in promiscuous 
mode... What does this mean (I know not good), and can it be switched back. 
Also, if named is corrupted (bad md5sum) can it be replaced? I've stripped 
out a SH back door that gets added to /etc/inetd.conf every several hours. 
But that has stopped recently since I replaced the net-tool kit I got off 
Cobalt web site (as someone else suggested) chkrootkit was telling me it had 
found a LKM Trojan, but when I reinstalled the net-toolkit that disappeared. 
I realize I have to rebuild the box, but I'm just buying time to migrate the 
user base. We have a problem Huston. This box was hacked twice and the 
second time it was fully loaded with all the patches (including BIND) along 
with Tripwire, SSH2, Portsentry, Logcheck, a light firewall, and SPAM guard, 
before going live on the net... The only thing I can figure is they came in 
on FTP...<??> I see others are finding the same back door... So does ANYONE 
know how these kids are getting into these boxes if BIND is patched? 
(besides possibly FTP..?)? I've turned off FTP for the time being. Sorry for 
the inconvenience to the customers, but we're going into bunker mode.
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com