[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] paranoid

Subject: RE: [cobalt-users] paranoid
From: "Curtis Ross" <Curtis_Ross@xxxxxx>
Date: Fri Feb 16 08:01:37 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> im trying to recover after beeing r00ted,
> 
> so far all i have found was a rootshell on port 9705.
> there was a .bash_history in my / dir, but it was all scrambled txt i
> (id guess they got in, created a backdoor, and left)
> 
> ive done md5sums on files and they seem ok, i ran chkrootkit and it
reported
> i had an infected 'bindshell'
> 
> whats bindshell and how do i fix this?
> 
> i also have a couple of odd names in my /etc/passwd file
> 
> pop:x:17:17:APOP:/etc:
> named:x:25:25:Named:/etc/named:/bin/false
> 
> do these look ok?
> 
> _______________________________________________
> 

If your running PortSentry, I believe you will get a false-positive
using chrootkit. Check their site I think they mention something about
it.


Curtis

Follow-Ups:
- [cobalt-users] Raq3 Logcheck question & other hack questions
  - From: Tony

Prev by Date: Re: [cobalt-users] last bit of hacker droppings.
Next by Date: [cobalt-users] Cobalt to provide compensation for server hack?
Previous by thread: Re: [cobalt-users] I got a question for ya
Next by thread: [cobalt-users] Raq3 Logcheck question & other hack questions

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index