[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Trinoo DDoS server in init

Subject: Re: [cobalt-users] Trinoo DDoS server in init
From: Eurowolf@xxxxxxx
Date: Sun Feb 25 23:06:44 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

In a message dated 2/15/01 2:26:11 AM Eastern Standard Time, roger@xxxxxxxxx 
writes:

<< I was hacked a few days ago, and it looks as though my /usr/sbin/init file
 has been replaced with a version containing a Trinoo DDoS server. The init
 file /sbin/init appears untouched however. Is /sbin/init the same file as
 /usr/sbin/init, or are they different. If they are different, could someone
 possibly attach a clean version to an e-mail or put it up on a web site etc?
 
 Many thanks,
 Roger
  >>

we had the same thing happen to 3 of our raq3's

they also added  a cron job running this init every 15 minutes, and there 
were other files replaced...so the best thing is to rebuild it wiht the 
restore and load up all the patches, esp the named pacthh from a few days ago

Prev by Date: Re: [cobalt-users] Trinoo DDoS server in init
Next by Date: Re: [cobalt-users] Another Raq3 Hack
Previous by thread: RE: [cobalt-users] Trinoo DDoS server in init
Next by thread: [cobalt-users] [raq3] Access By Domain Web Reports

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index