[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] whats that ?

Subject: Re: [cobalt-users] whats that ?
From: flash22@xxxxxxx
Date: Tue Mar 13 14:54:15 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Tue, 13 Mar 2001, andreas (@work) wrote:

> hi,
> 
> i found a directory on my raq3
> 
> /home/evil
> 

looks like you had a visitor ;)
and they made them self a ssh password too :)

you houldn't really have tried to su to that user, they could have had a
surprise waiting for you ;)

ls -l on those files shows whem owned by?

look in the passwd file for that user?

certainly scan for rootkits, bet you money there's one around somewhere

note that everythign done between 'su evil2 and the next ls isn';t in the
history, (cause it's in another users history, which they probably cleaned
up) so you really have no idea what was done...

the last ps ax, ls, who were possible to test replaced binaries....

www.chkrootkit.com , see what interesting things it shows,but regardless,
you have to assume the worst since you don't know...

gsh

[]
> and the file 
> .ftphelp
> contents "site administrators ftp instructions"

Which is interesting....'site admin

References:
- [cobalt-users] whats that ?
  - From: andreas \(@work\)

Prev by Date: Re: [cobalt-users] CMU solution for preserving rights and sitenumbers
Next by Date: [cobalt-users] raq 3 as a dns server
Previous by thread: [cobalt-users] whats that ?
Next by thread: [cobalt-users] whats that ?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index