[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] kofa\r and kofif\r in base directory.

Subject: Re: [cobalt-users] kofa\r and kofif\r in base directory.
From: "Jim Hagani" <jhagani@xxxxxxxxxxx>
Date: Sat Feb 24 19:44:04 2001
Organization: Hardill Associates
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

----- Original Message -----
From: <flash22@xxxxxxx>
To: "Jim Hagani" <jhagani@xxxxxxxxxxx>
Cc: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Saturday, February 24, 2001 2:34 PM
Subject: Re: [cobalt-users] kofa\r and kofif\r in base directory.

> On Sat, 24 Feb 2001, Jim Hagani wrote:
>
> > Feb 23 18:49:08 ns kernel: TCP: Hash tables configured (ehash 65536
bhash
> > 65536
> > Feb 23 18:50:09 ns PAM_pwdb[1020]: (su) session opened for user postgres
by
> > (uid=0)
> > Feb 23 18:50:11 ns PAM_pwdb[1020]: (su) session closed for user postgres
> > Feb 23 18:50:28 ns sshd2[1148]: Listener created on port 22.
> >
> > I do not have a user "postgres", and it looks like someone opened a
listener
> > on my port 22. But I do not telnet at all. Can I add port 22 to
portsentry
> > list of ports to check?
>
> Well, if you insist on fixing it ;) possibly a sshd started in one of
> the init files, set to 'postgres' user so you won't notice....
>
> You can't add to portsentry till you remove the sshd ,
>  it already owns the port...
>
> look in your password files, you probably have
> some interesting changes there too ;0
>
> (not to mention the rest of the filesystem....)
>
> at least get chkrootkit , it's a small start....
>
> gsh
>

Just wanted to thank you personally.

My system was hacked last week, and I had the ISP do a complete restore, I
installed all teh latest upgrades and even portsentry and logcheck. Not even
a week, and here they are again. I can not afford another OS restore, so I
have to do it myself.

For your info, the files showed as kofa\r and kofif\r and I could not delete
them that way
rm kofa\\r did not work, I figured out the actual file names are kofa? and
Kofif?, why they show that way, don't know. I found another instance of
these files at /proc/1020. deleted those also. chkrootkit does not show
anything wrong.

But still when I reboot, sshd puts the listener on port 22, they have to be
somewhere else.
I will go from one directory to another, pico every file until I find them.

I will appreciate any pointers on this quest.

The good part is: I am learning a lot! By the end this ordeal, I will be the
one giving advice on this matter.

Jim Hagani

Follow-Ups:
- Re: [cobalt-users] kofa\r and kofif\r in base directory.
  - From: flash22

References:
- Re: [cobalt-users] kofa\r and kofif\r in base directory.
  - From: flash22

Prev by Date: [cobalt-users] webalizer..
Next by Date: Re: [cobalt-users] Hackers. I am fed-uppppp
Previous by thread: Re: [cobalt-users] kofa\r and kofif\r in base directory.
Next by thread: Re: [cobalt-users] kofa\r and kofif\r in base directory.

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index