[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Trinoo DDoS server in init
- Subject: Re: [cobalt-users] Trinoo DDoS server in init
- From: flash22@xxxxxxx
- Date: Sun Feb 25 23:02:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Thu, 15 Feb 2001, Roger Dunk wrote:
> Great, thanks guys. I removed /usr/sbin/init and that solved that problem.
> However now I wonder from which script the /usr/sbin/init file was being
> called. I've gone through all the scripts in /etc/rc.d and can't find
> anything.
Um, heh...the word EVIL doesn't even begin to apply to what you just did
;)
init is run by the kernel itself when you boot the machine, until you
replace it you had better not reboot ;)
(init is the program that in fact starts running all those nice rc.d
scripts)
However I did notice the file dates on /etc/rc.d/init.d/tmpinit
> and arkeia have been changed. Does anyone have the correct copies of these
> files available?
It should be safe temporarily to comment those out obviously...till you
get fresh ones..but..
>Lastly, all files in /lib/security have their file dates changed.
Ouch, that implies nothing you do on that machine may be doing what you
think...
Are the files in /lib/security part of an rpm or package I can
> download and reinstall?
PAM, but i don't know what cobalt modified or if they have just those in a
rpm, i'd really be thinking about reloading the OS if you have so many
things 'suspiscous'
The modules in /lib/security are responsible for all username
authentication on the machine, if they are compromised, nothing you do is
'safe'..
>
> Ohh yeah, and I would like to second that notion of chopping their fingers
> off!
Well, they would just type with their noses...