[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] RaQ3: Hacked again even with all the latest updates installed
- Subject: RE: [cobalt-users] RaQ3: Hacked again even with all the latest updates installed
- From: "GPS" <gps@xxxxxxxxxxxxxx>
- Date: Sat Feb 24 09:35:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
>Well folks, the crackers got in again. We had all the latest
>patches from cobalt installed, and this time they wiped out
>most of our clients sites, changed my admin password, etc.
>I am currently waiting for our provider to reset my passwords.
>Anyone have any ideas on how they got in this time? Once I
>regain access I am going to install port sentry, Hopefully
>this will help. Any other suggestions would also be helpful
>and very much appreciated. Please forgive my ignorance, but
>which would be the best log files for me to search to try and
>figure out who got in and how??
If the scumbag did that much damage he mostly likely obliterated
any trace of his existence from the logs.
You would normally check /var/log/messages and /var/log/secure
Also checking /var/log/httpd/adm_access and adm_error
could show you if anyone attempted to hammer their way in
through the GUI admin interface.
There are also Cobalt-specific logs at /var/cobalt/
Please report this incident to CERT with their form at:
http://www.cert.org/reporting/incident_form.txt
If every Raq owner would do the same Sun might get a wake-up call.
It would also probably be helpful for legal reasons to make a
backup of the entire system in it's hacked state.
Tony