[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
- Subject: RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
- From: "Brian Watters" <brwatters@xxxxxxxxxxx>
- Date: Tue Feb 27 19:36:01 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hmm .. is this like being kinda pregnant?
Brian
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of cowbridge
Sent: Monday, February 26, 2001 2:08 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] "Sort of" hacked?? Raq3 with some
problems...
> Ok, checking my files against those found in other posts, I've discovered
> that while my login, ls, netstat, ps, du and find commands seem
> to be "new
> and unproved," others appear untainted (checked via Md5 checksums)
>
> I also don't seem to have all the xlogin, ld.so.hash, crth.o, etc files,
> BUT I have come across the directory (empty):
>
> usr/src/.puta
>
> This was mentioned by Rik Thomas in an earlier message (2/9). What else
> should I be looking for?
>
> Should I replace my tainted files with those found in the unhack.tar.gz
> mentioned here earlier, or....?
I'm afraid this is not sort of hacked, but definitley hacked. You have the
t0rn rootkit.
See http://www.sans.org/y2k/t0rn.htm for details.
The only remedy is to use the Restore CD, I'm afraid.
Good luck,
Roger
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users