[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] kofa\r and kofif\r in base directory.
- Subject: Re: [cobalt-users] kofa\r and kofif\r in base directory.
- From: "Jim Hagani" <jhagani@xxxxxxxxxxx>
- Date: Sat Feb 24 15:04:14 2001
- Organization: Hardill Associates
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> > I just found these two files in my RAQ3 directory. I know they don't
belong
> > there.
> >
> > I searched the archives and there is one message saying it is a hack.
But
> > there is no indstructions how to remove it.
> >
> > I checked my inetd.conf and that was hacked, so I took the extra lines
out.
> > There was even a kof.d directory in tmp, which I removed.
>
> Which may have been a mistake, make sure you didn't loose the init scripts
> starting your network (inetd) or you will loose telnet after the next
> reboot...
>
> >
> > But how do I remove kofa\r ? Whatever I try, I get file does not exist.
>
> rm "kofa\\r"
>
> If you are having this kind of problems, please, seriously consider
> finding someone knowledgable in recovering from root compromises...
> (no, not me)
>
> gsh
Thanks for the advice, but who?
I have rebooted the system, and it looks like running fine, Except the three
lines I get in my start up log.
Feb 23 18:49:08 ns kernel: TCP: Hash tables configured (ehash 65536 bhash
65536
Feb 23 18:50:09 ns PAM_pwdb[1020]: (su) session opened for user postgres by
(uid=0)
Feb 23 18:50:11 ns PAM_pwdb[1020]: (su) session closed for user postgres
Feb 23 18:50:28 ns sshd2[1148]: Listener created on port 22.
I do not have a user "postgres", and it looks like someone opened a listener
on my port 22. But I do not telnet at all. Can I add port 22 to portsentry
list of ports to check?
I am stuck!
Jim Hagani