[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...

Subject: RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
From: "cowbridge" <cobalt@xxxxxxxxxxxxx>
Date: Mon Feb 26 14:10:00 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> Ok, checking my files against those found in other posts, I've discovered
> that while my login, ls, netstat,  ps, du and find commands seem
> to be "new
> and unproved," others appear untainted (checked via Md5 checksums)
>
> I also don't seem to have all the xlogin, ld.so.hash, crth.o, etc files,
> BUT I have come across the directory (empty):
>
> usr/src/.puta
>
> This was mentioned by Rik Thomas in an earlier message (2/9). What else
> should I be looking for?
>
> Should I replace my tainted files with those found in the unhack.tar.gz
> mentioned here earlier, or....?

I'm afraid this is not sort of hacked, but definitley hacked. You have the
t0rn rootkit.

See http://www.sans.org/y2k/t0rn.htm for details.

The only remedy is to use the Restore CD, I'm afraid.

Good luck,

Roger

Follow-Ups:
- Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
  - From: Roger Dunk
- RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
  - From: Brian Watters

References:
- [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
  - From: Cobalt Newbie

Prev by Date: [cobalt-users] Site Admin
Next by Date: Re: [cobalt-users] Bind Update pkg version
Previous by thread: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
Next by thread: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index