[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Hacked RAQ3 port 514???
- Subject: RE: [cobalt-users] Hacked RAQ3 port 514???
- From: John M Troher <admin@xxxxxxxx>
- Date: Mon Feb 26 18:37:11 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Yes I found two other ports in the 7900 range but they connect and do
nothing
the just sit there?????
John
-----Original Message-----
From: Roger Dunk [mailto:roger@xxxxxxxxx]
Sent: Monday, February 26, 2001 5:11 PM
To: admin@xxxxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] Hacked RAQ3 port 514???
Have you done a port scan right up to at least port 9999? Quite often the
rootkits will leave a port open (around 8000) which will let you get
straight into a root shell.
Cheers...
Roger
----- Original Message -----
From: "John M Troher" <admin@xxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Tuesday, February 27, 2001 4:58 AM
Subject: [cobalt-users] Hacked RAQ3 port 514???
> I have a Raq3 that was hacked sometime ago that has sites on it with SSL
> that I have not moved yet.
>
> I am portscanning that machine to see what is listening. I see the shell
> service
> listening to port 514 but can not telnet to it, as it disconnects me right
> away.
>
> Is that port normal?
>
> Also the server will not accept any usernames and passwords on the normal
> telnet port or at the console.
>
> Any ideas on how to get into this box and clean it up? Bind has been
> disabled.
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users