[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] swatch_service_body_defcon_2
- Subject: [cobalt-users] swatch_service_body_defcon_2
- From: Markus Buchanan <mbuddy@xxxxxxxxxxxxxx>
- Date: Mon Feb 19 20:22:40 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hi all,
Some of our RaQ servers have been hacked recently. This message:
swatch_service_body_defcon_2
Was displayed in the Active Monitor Display - FTP Server, and caused by a
symptom of the hacking procedure apparently. All services were running
normally except pop3 email appeared to be disabled.
On investigation it was discovered that a new service call "agetty" was
running on the server, the inetd.conf, gshadow, shadow, passwd and group
files were all compromised.
To rectify the problem, the 'agetty" service was killed, the
inetd.conf.noqpopper file was copied over the old inetd.conf file, and the
compromised files all edited and fixed.
It was also necessary to remove an administration user on one of the sites
to allow the passwords files etc to be rebuilt.
After this all admin users were forced to changed their passwords also.
Rebooting without doing this step apparently causes problems with the sites
starting up and availability after reboot.
This has happened to several organisations using RaQs, and this posting to
the list is to at least give others a starting point in solving the
problems.
I hope this is of some help to people in similar situations, as we found it
very difficult to find any information regarding this in the Cobalt
Knowledgebase, email lists or the net in general.
Out thanks to Enet21, and it's other affected clients for a pronmpt and
speedy response to this situation.
Regards,
Mark Buchanan