[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] HELP! Have I been hacked??

Subject: Re: [cobalt-users] HELP! Have I been hacked??
From: "Zahid N. Sindhu" <zahid@xxxxxxxxxxxx>
Date: Mon Feb 26 06:50:23 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> I have a bad feeling I've been hacked (on a RAQ3), and now strange things
> show up when I type ps -aux. I don't recall seeing anything like the
> following entries before, but I HAVE just installed the Bind updates, etc.
> Any chance these are normal entries? If not, what next? (scraping the
> machine and starting over may not be feasible, but...)?
>
> Here's what I'm worried about in the ps output:
>
> root     16825 80.7  0.2  1088   364  ?  R N 12:48  22:40 ./pscan 60.119
53
> root     23754  0.0  0.3  1100   388  ?  S N 04:50   0:00 tail -f
bindname.log
>
>

Welcome to the club.
You've been hacked.

Your best option is to backup all user data and restore from the CD.
Before puting the raq back online, however, install patches for Bind and
ProFTPD, or the excercise might be in vain.

The wierd thing however is that the cracker didn't replace the ps binary.

- Zahid

References:
- [cobalt-users] HELP! Have I been hacked??
  - From: Cobalt Newbie

Prev by Date: Re: [cobalt-users] SMTP error
Next by Date: Re: [cobalt-users] No maillog entries on RaQ4
Previous by thread: [cobalt-users] Raq3 t0rn hack -- The hackers left an email address?!
Next by thread: [cobalt-users] /var/log/boot.log zero bytes since raq3 osupdate 4!!

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index