[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] ProFTPd hack &

Subject: [cobalt-users] ProFTPd hack &
From: "H. v. K." <hans@xxxxxxxxxxxxxx>
Date: Fri Mar 16 00:07:13 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Hi everyone,

Today I did a "ps aux" on a Cobalt RAQ3i, and saw the following information:

root     22659  0.0  0.2  2300 1412 ?        S    01:18   0:00 proftpd:
connected: <hostname> (<ipaddress>:1198)
root     23405  0.0  0.2  2300 1412 ?        S    01:38   0:01 proftpd:
connected: <hostname> (<ipaddress>:1720)
root     23481  0.0  0.2  2300 1412 ?        S    01:40   0:00 proftpd:
connected: <hostname> (<ipaddress>:1741)
root     23776  0.0  0.2  2300 1412 ?        S    01:49   0:01 proftpd:
connected: <hostname> (<ipaddress>:1172)
root     23820  0.0  0.2  2300 1412 ?        S    01:49   0:01 proftpd:
connected: <hostname> (<ipaddress>:1205)
root     24501  0.0  0.2  2300 1412 ?        S    02:06   0:00 proftpd:
connected: <hostname> (<ipaddress>)


Does this mean that someone (the hostname, totaly unkown to us) has root
access using the ProFTP daemon? I immediately killed these proccesses. How
can I check if this was a hack?

Another thing: the same RAQ3i has been hacked before, and now we want to
clean up the RAQ. But, there are about 200 sites on that server. Does anyone
know how to do this correctly? Which directories do I have to backup and
replace over the OS restore disk?

Thanks!


- H

Prev by Date: RE: [cobalt-users] Is anyone from cobalt watching these forums?
Next by Date: [cobalt-users] Re: Problems installing BIND Update 4.0.3 on RAQ3 (Landon Jenkins)
Previous by thread: Re: [cobalt-users] Patch9353
Next by thread: [cobalt-users] Re: Problems installing BIND Update 4.0.3 on RAQ3 (Landon Jenkins)

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index