[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Hacked?

Subject: RE: [cobalt-users] Hacked?
From: "Joey Calvey" <jcalvey@xxxxxxxx>
Date: Thu May 31 10:17:00 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

actually i think removing/turning off telnet and replacing it with ssh is a
better solution.  But i have to agree, i had to fix a xtr that was rooted
with the (lion kit) and it's WAY less labor intensive to just do a factory
restore of the box.

-----
Joey Calvey (jcalvey@xxxxxxxxxxxxxxxxx)
Calvey Internet & Network Systems

-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Jay Kraft
Sent: Thursday, May 31, 2001 7:17 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] Hacked?

There is only one reliable solution if you think you have been hacked. DO
not waste your time trying to remove rootkits and the like because the
hacker is a hell of a lot smarter than we are and he has more backdoors
than a Chinese house of ill-repute,

1. Do a complete restore with the Cobalt CD
2. DO NOT turn on DNS or telnet until you have done all updates to the box.
3. Resore your content only - no opsys stuff
4. Change you admin password and leave telnet turned off until you need it
and then turn it back off.

Jay Kraft

At 06:21 PM 05/29/2001 -0400, you wrote:
>#1 Log files
>#2 top to see if something running weird
>#3 ps -aux to see if unknown process are running
>#4 netstat to see open port on your machine
>#5 look for internal contents ( cgi running, weird file, hacker business
>card, IP scanner file (surely have a process running this) etc)
>#6 Look at you telnet root/su buffer command if you see something you
didn't
>do (sometime they forget to clear that (ssh user ?))
>#7 god help you, i cannot do better
>
>Stephen Gilbert
>satan@xxxxxxxxxxxxxxxx
>
>
>
>_______________________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To Subscribe or Unsubscribe, please go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

References:
- Re: [cobalt-users] Hacked?
  - From: Jay Kraft

Prev by Date: Re: [cobalt-users] Hacked?
Next by Date: [cobalt-users] site admin can't upload files via FTP?
Previous by thread: Re: [cobalt-users] Hacked?
Next by thread: Re: [cobalt-users] Hacked?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index