[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Hacked Raq3 - some symptoms
- Subject: [cobalt-users] Hacked Raq3 - some symptoms
- From: vijay <vijay@xxxxxxxxxxxx>
- Date: Sat Feb 24 07:20:20 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hello,
Following is the one which Hacked my system.
Feb 18 16:23:20 xxxxxx named[6270]: starting (/etc/named.conf). named
8.2.3-RE
L Fri Feb 9 19:22:23 EST 2001 ^Iroot@choke:/tmp/update/src/bin/named
<mailto:^Iroot@choke:/tmp/update/src/bin/named>
xxxxx is my machine name.
Feb 19 07:38:43 xxxxx named[6287]: Lame server on 'sexxxmailer.com' (in
'sexxx
mailer.com'?): [63.196.55.69].53 'NS4.CEN2K.COM'
Feb 20 13:36:36 xxxxx useradd[10783]: new group: name=named, gid=25
Feb 20 13:36:36 xxxxx useradd[10783]: new user: name=named, uid=25,
gid=25, ho
me=/etc/named, shell=/bin/false
Feb 20 13:37:34 xxxxx init: Switching to runlevel: 6
Feb 20 13:37:34 xxxxx mgetty[610]: failed dev=ttyS0, pid=610, got signal
15, e
xiting
Feb 20 13:37:42 xxxxx named[371]: named shutting down
This is how the hacker created a new user. I have removed this entry
from group and password file.
Feb 21 04:06:01 xxxxx named[381]: Lame server on 'bgl1dns-a.dts.in' (in
'dts.I
N'?): [61.0.0.5].53 'ndl1dns-a.dts.IN'
Feb 21 04:06:01 xxxxx named[381]: Lame server on 'bgl1dns-a.dts.in' (in
'dts.I
N'?): [61.0.0.9].53 'ndl1nms-a.dts.IN'
Feb 21 04:06:05 xxxxx named[381]: sysquery: query(bgl1dns-a.dts.in) All
possib
le A RR's lame
Feb 21 04:06:14 xxxxx named[381]: Lame server on
'71.61.117.211.in-addr.arpa'
(in '117.211.in-addr.arpa'?): [134.75.30.1].53 'ns.kreonet.re.kr'
Feb 21 12:57:37 xxxxx proftpd[10110]: xxx.xxx.xxx.xxx
(200.255.185.118[200.255
.185.118]) - USER anonymous (Login failed): Can't find user.
Feb 21 12:57:38 xxxxx proftpd[10111]: xxx.xxx.xxx.xxx
(200.255.185.118[200.255
.185.118]) - USER anonymous (Login failed): Can't find user.
Feb 21 12:57:38 xxxxx proftpd[10110]: xxx.xxx.xxx.xxx
(200.255.185.118[200.255
.185.118]) - FTP session closed.
Feb 21 12:57:38 xxxxx proftpd[10111]: xxx.xxx.xxx.xxx
(200.255.185.118[200.255
.185.118]) - FTP session closed.
Feb 21 12:57:38 xxxxx proftpd[10112]: xxx.xxx.xxx.xxx (200.255.185.
118[200.255.185.118]) - USER anonymous (Login failed): Can't find user.
Feb 21 12:57:38 xxxxx proftpd[10112]: xxx.xxx.xxx.xxx (200.255.185.
118[200.255.185.118]) - FTP session closed.
Feb 21 12:57:42 xxxxx proftpd[10109]: xxx.xxx.xxx.xxx (200.255.185.
118[200.255.185.118]) - USER anonymous (Login failed): Can't find user.
Feb 21 12:57: xxxxx proftpd[10109]: xxx.xxx.xxx.xxx (200.255.185.
118[200.255.185.118]) - FTP session closed.
Feb 21 12:59:38 xxxxx proftpd[10132]: xxx.xxx.xxx.xxx
(202.144.73.50[202.144.7
3.50]) - FTP session closed.
Feb 24 05:15:01 xxxxx inetd[8722]: execv /usr/sbin/in.identd: No such
file or
directory
This entry is there everywhere. Just wondering what is this> Is this
file really missing??
Feb 24 16:09:42 xxxxx proftpd[966]: xxx.xxx.xxx.xxx (client79-102.h
ispeed.ch[62.2.79.102]) - no such user 'anonymous'
Feb 24 16:09:42 xxxxx last message repeated 4 times
Feb 24 16:09:42 xxxxx proftpd[966]: xxx.xxx.xxx.xxx (client79-102.h
ispeed.ch[62.2.79.102]) - USER anonymous (Login failed): Can't find
user.
Feb 24 16:09:43 xxxxx proftpd[966]: xxx.xxx.xxx.xxx (client79-102.h
ispeed.ch[62.2.79.102]) - FTP session closed.
Feb 24 16:09:52 xxxxx proftpd[963]: xxx.xxx.xxx.xxx
(client79-102.hispeed.ch[6
2.2.79.102]) - FTP session closed.
Feb 24 16:09:52 xxxxx proftpd[964]: xxx.xxx.xxx.xxx (client79-102.h
ispeed.ch[62.2.79.102]) - FTP session closed.
Feb 24 16:09:52 xxxxx proftpd[965]: xxx.xxx.xxx.xxx
(client79-102.hispeed.ch[6
2.2.79.102]) - FTP session closed.
In general, the attempt has been to try for the IP address and if not
possible, for the Host Name.
Thought this may be useful for those who are hacked.
Regards
Vijay