[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Hacked raq3s
- Subject: [cobalt-users] Hacked raq3s
- From: "Dan Mahoney, System Admin" <danm@xxxxxxxxxxxxxxx>
- Date: Thu Feb 22 04:35:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hi all.
We manage a colocation facility, where we have had (to date) eight
compromised cobalt raq3 servers. (Including two in a larger data center,
where we had a whole class C shut down as a result of the 0wn3d boxes
flooding).
I was wondering if there was some common cause to this hacking of
late? If there was some fix that should be applied? These are customer
boxes, but because they are colocated, the problems often fall to us to
fix.
SECOND QUESTION:
I tried to restore a raq3 via the following method:
1. Mount the raq3 hard drive in a a freeBSD machine with the ext2fs
utilities, and tarred every partition off to a backup drive.
2. Complete re-install of the system from the restore CD.
3. Pull /usr/local/frontpage, /home, and /etc from the backup and restore
them to the raq. I know this isn't foolproof (there could be corrupt
binaries in one of those three locations, but usually I've found that
corrupt binaries are in the place you'd expect to find binaries, or in,
/dev (because nobody looks there). Following this, I can scan startup
scripts for diffs versus the originals.
Okay, the problem reported is that while all the sites work after this,
the admin util doesn't show any of them, leading me to believe the admin's
database is in one of those other locations. Does anyone know where (or
if it's *shudder* pgsql).
Anyway, how I'd restore it?
-Dan Mahoney
--
"It would be bad."
-Egon Spengler, "Ghostbusters"
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Web: http://prime.gushi.org
finger danm@xxxxxxxxxxxxxxx
for pgp public key and tel#
---------------------------