Re: [cobalt-users] Hacked?? Telnet Connected But Not Activated?

[<elmer@xxxxxxxxxxxxxx>]

On Wed, 18 Apr 2001, Wayne Sagar wrote:

} Don't want to be crying wolf..

	Perhaps you should be...

} Would anyone have any idea where to look for this instance of telnet
} running when I've got it turned of...

	Somewhere on the hard drive(s). No, I'm not trying to be
cute. If the machine has been hacked, the stuff the hacker is using
is obviously hidden - if it were not your logs would contain the
clues you need to track this stuff down. How well it's been hidden
depends upon the skill of the person who cracked your box.

	The difficult part of this is that the cracker's tools can
be anywhere. Worse yet, perhaps, if the cracker is any good they've
more than likely installed one or two backdoors that you are more
than likely not going to be able to find.

} I know, this sounds like a hack.. but if anyone can point me where to look
} and for what to possibly find and nuke this...

	Your best option, the only truly viable option perhaps, is
to either enlist the services of a seasoned security expert or to
back up your user data and start anew by doing a full re-install.

	Truth be told, the odds of you completely cleaning that
box are slim to nothing. if you try to clean it and you fail, you
will be doing yourself, your clients and the entire Internet
community a major dis-service in that your box will most certainly
be used for questionable - very likely illegal and almost certainly
as a base from which attempts will be made to exploit other servers.
Along the way your clients private data will be exploited. Their
client's credit card numbers will be probably be exploited and much
much more.

	Do yourself a favor. Head over to your favorite security
site and get yourself some professional assistance.

	Peace be with you,

	Brent

	Brent Sims
	WebOkay Internet Services
	http://www.WebOkay.net
	Brent@xxxxxxxxxxx
	(719) 595-1427 (Voice/Fax)