[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] where's the list; and, have I been hacked?

Subject: [cobalt-users] where's the list; and, have I been hacked?
From: Tom Ritchford <tom@xxxxxxxxxx>
Date: Sun Jun 10 03:25:08 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

I haven't had email from this list for several days now -- but the
listmaster insists I'm subscribed.


I moved to my current Raq3 after the old one was, it seemed,
compromised.  I thought I had been careful but hadn't installed
the BIND update.

My provider datapipe.com gave me a new box and this time I
was very VERY careful indeed to make sure that I had everything
up-to-date and no holes.

Well, today I logged in as admin.  no trouble.  then I tried
to su.

I couldn't su.  I tried many times... I could log in as admin
fine but I couldn't su.


I went to the Cobalt Administrator control panel and changed
the administrator password to a new password

Now I can su fine.  But.  I don't get a warm fuzzy feeling.


I can't seem to find anything wrong (is there a complete
list of steps I should take somewhere?  there are several
on the recent list even...), no obvious jobs running,
find / -ctime 0 was quite quiet, /root/.bash_history
was fine, /etc/rc.d/ seems to be unchanged including init.d...


I have been very careful!

Almost all scripts and programs run with user perms.

I do have the following services
that might be running suid at some point.

  - Apache/mod_perl/Resin servlet engine
  - neomail (in ONE directory only.  it seems fine...?)
  - innd news (in fact, I think that's always running as user "news"...
      would it leave a hole if it were running as root?)



I have another theory.  I know that Datapipe, my provider, has a backdoor
to my machine that lets them change root's password because
they did it when I was hacked. (How does that work, anyway?)

And I know that they have been having some troubles recently
(because there have been a few 15 minute segments where I
couldn't reach my sites or them...)

Haven't heard back from them on this yet.


I'd HATE to have to move servers again.

	/t

                                 that was fast

.......all legal games of chess <http://solveChess.com/chess?refresh=0>......
.....programmer's documentation <http://solveChess.com/doc>..................

Follow-Ups:
- Re: [cobalt-users] where's the list; and, have I been hacked?
  - From: Steve Werby

Prev by Date: RE: [cobalt-users] RaQ3i- Why Vacation Message contains hostname
Next by Date: Re: [cobalt-users] RaQ3i- Why Vacation Message contains hostname
Previous by thread: Re: [cobalt-users] raq3i mail server name
Next by thread: Re: [cobalt-users] where's the list; and, have I been hacked?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index