[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] httpd running but no web except Cobalt GUI

Subject: Re: [cobalt-users] httpd running but no web except Cobalt GUI
From: Wayne Sagar <wsagar@xxxxxxxx>
Date: Sun Apr 22 21:05:04 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

>Last time, after I realised I was hacked, I did a mistake in 
>rebooting the machine and then telnet was down with no way to access the 
>machine again.

Go to the address below and grab the SSH server .pkg file from Cobalt 

http://pkg.nl.cobalt.com/i386/RaQ3-RaQ4-OpenSSH-Server-2.1.1p2.pkg install
this via the GUI..

Grab the windows client for your local machine from here
http://www.ee.duke.edu/security2/win_free_ttssh.html (assuming you are
using windoze)

If you have not blocked port 22 via portsentry, you should be able to
configure ssh and go in that way... Once you try it and it works, turn OFF
telnet in the GUI, reboot and see what that does.. From what I have seen,
ssh is much harder to comprimse than telnet and does not transmit your
password in plain text across the net. I too learned this lesson the hard
way..

Once everyone wakes up on this side of the world.. you'll probably get more
detailed help... but you'll want to have the above done before then. The
only time I'd use telnet would be to test security and then I'd immediatly
change the password used via ssh encryption. 

Good luck!
Wayne
PS.. just sort of a dumb question, do you have porsentry watching port 80?
If so, go into the config file and remove that port... 

At 11:45 AM 4/23/01 +0100, you wrote:
>Hi everybody,
>
>I am unsure if I have been hacked. It is a long message but please bear with 
>me as I am unsure what to do
>
>I rebooted my server this morning and since then I have no web services. the 
>Cobalt GUI is working fine and tells me that the web server is down.
>
>I tried a "netstat" -lnp and I have the following:
>tcp        0      0 0.0.0.0:7937            0.0.0.0:*               LISTEN   
>    568/nsrexecd
>tcp        0      0 0.0.0.0:7938            0.0.0.0:*               LISTEN   
>    566/nsrexecd
>tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN   
>    490/sendmail: accep
>tcp        0      0 0.0.0.0:81              0.0.0.0:*               LISTEN   
>    380/httpd
>tcp        0      0 0.0.0.0:444             0.0.0.0:*               LISTEN   
>    380/httpd
>tcp        0      0 0.0.0.0:617             0.0.0.0:*               LISTEN   
>    370/nlservd
>tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN   
>    361/sshd
>tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN   
>    355/inetd
>tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN   
>    355/inetd
>tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN   
>    355/inetd
>udp        0      0 0.0.0.0:7938            0.0.0.0:*                        
>    566/nsrexecd
>7           608/portsentry
>raw        0      0 0.0.0.0:6               0.0.0.0:*               7        
>    606/portsentry
>raw        0      0 0.0.0.0:1               0.0.0.0:*               7        
>    -
>raw        0      0 0.0.0.0:6               0.0.0.0:*               7        
>    -
>
>I am not worried about 7937 and 38 as they are ARKEAI backup, but I have not 
>port 80 and 443 running, which means that of course I cannot access my 
>virtual sites. Now as I have portsentry set up, everytime somebody access my 
>machine through port 80 (via a web browser), my RAQ3 blocks them and send 
>them to the hosts.deny file (I have been locked myself several time).
>
>However, when I run /etc/rc.d/init.d/httpd status it tells me "httpd (pid 
>8319 380) is running..." which to me means that apache is up and running, 
>but still no web access.
>
>I did a chkrootkit and I had this that I did not have before:
>Checking `z2'... Not Tested: can't exec ./chklastlog
>Checking `wted'... Not Tested: can't exec ./chkwtmp
>Checking `sniffer'... Not Tested: can't exec ./ifpromisc
>Checking `lkm'... Not Tested: can't exec ./chkproc
>
>Now this looks to me like I have been hacked as ot seems to refuse access to 
>some of the things that are nescessary for the system to work.
>
>I was hacked a few months ago and I spent a lot of time securing the machine 
>and closed all the ports unecessary and installed all the patches when 
>available.  I had to collect it from my ISP and bring back (at a cost of 
>USD 750). So I am hesitant to reboot the machine again.
>
>I have checked the archives (again and again) and can't see any problems on 
>this nature.
>
>Would anybody know what is happening to the machine. I would really 
>appreciate any help.
>
>Gilles
>_________________________________________________________________________
>Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
>_______________________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To Subscribe or Unsubscribe, please go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>

Follow-Ups:
- Re: [cobalt-users] httpd running but no web except Cobalt GUI
  - From: Steve Werby

Prev by Date: RE: [cobalt-users] Change Telnet welcome msg
Next by Date: RE: [cobalt-users] Raq4 - point domain to users external webspace
Previous by thread: [cobalt-users] httpd running but no web except Cobalt GUI
Next by thread: Re: [cobalt-users] httpd running but no web except Cobalt GUI

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index