[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Hacked?
- Subject: Re: [cobalt-users] Hacked?
- From: Jay Kraft <jkraft@xxxxxxxxxxxx>
- Date: Thu May 31 09:26:25 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
There is only one reliable solution if you think you have been hacked. DO
not waste your time trying to remove rootkits and the like because the
hacker is a hell of a lot smarter than we are and he has more backdoors
than a Chinese house of ill-repute,
1. Do a complete restore with the Cobalt CD
2. DO NOT turn on DNS or telnet until you have done all updates to the box.
3. Resore your content only - no opsys stuff
4. Change you admin password and leave telnet turned off until you need it
and then turn it back off.
Jay Kraft
At 06:21 PM 05/29/2001 -0400, you wrote:
>#1 Log files
>#2 top to see if something running weird
>#3 ps -aux to see if unknown process are running
>#4 netstat to see open port on your machine
>#5 look for internal contents ( cgi running, weird file, hacker business
>card, IP scanner file (surely have a process running this) etc)
>#6 Look at you telnet root/su buffer command if you see something you didn't
>do (sometime they forget to clear that (ssh user ?))
>#7 god help you, i cannot do better
>
>Stephen Gilbert
>satan@xxxxxxxxxxxxxxxx
>
>
>
>_______________________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To Subscribe or Unsubscribe, please go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>