[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Hacked ??

Subject: Re: [cobalt-users] Hacked ??
From: "Frederic Stos" <metalwolf@xxxxxxxxxxxxx>
Date: Wed Jun 13 05:11:06 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

check the full packages date and size with rpm database against original 
version (dont remember the options... check with:  man rpm)
If a hacker enter in your machine and has installed a backorifice, you will 
have main programs changed (date and size), as:
su, bind, sh, addr, passwd, nslookup, irpd, 
etc

you surelly will have also some unauthorized account into /etc/passwd 
(users not documented into any site and not usual 'low-groups for admin' 
users)

and maybe /dev/.dev/rookit (where they install things in general) and maybe 
even a "you got me.txt" file or something like that
check a '$ locate rookit'
(rookit is one of the common backorifice in linux)
if you find something like this, you surely has been hacked

Good luck

MasterPhil




On 13 Jun 2001, at 10:36, Joe Lange wrote:

> Logging into my RAQ it looks like someone is using it for scanning but I
> cannot find the process I have limited access to our network via tcp wrap
> but it appears someone is still using the box ...This is a production DNS
> server so taking it offline is
> not a very good option if it can be avoided can somone offer some advice on
> haw to stop the attack ????
> 
> Joe Lange
> Systems Administrator
> NCI Data.com
> Methow.com
> 
> 
> 
> 
> 
> 
> 
> tcp        0      1 raq.ncidata.com:3378    207.40.84.251:sunrpc    SYN_SENT
> tcp        0      1 raq.ncidata.com:3377    207.40.84.250:sunrpc    SYN_SENT
> tcp        0      1 raq.ncidata.com:3376    207.40.84.249:sunrpc    SYN_SENT
> tcp        0      1 raq.ncidata.com:3375    207.40.84.248:sunrpc    SYN_SENT
> tcp        0      1 raq.ncidata.com:3504    terre.terressenc:sunrpc SYN_SENT
> tcp        0      1 raq.ncidata.com:3503    sign.lillichsign:sunrpc SYN_SENT
> tcp        0      1 raq.ncidata.com:3502    tire.hostetlerti:sunrpc SYN_SENT
> tcp        0      1 raq.ncidata.com:3501    furn.furndirect.:sunrpc SYN_SENT
> tcp        0      1 raq.ncidata.com:3500    rapid.rapidsenso:sunrpc SYN_SENT
> tcp        0      1 raq.ncidata.com:3499    rapid.rapidsenso:sunrpc SYN_SENT
> tcp        0      1 raq.ncidata.com:3498    blah.kuntrynet.c:sunrpc SYN_SENT
> tcp        0      1 raq.ncidata.com:3898    207.40.87.6:sunrpc      SYN_SENT
> tcp        0      1 raq.ncidata.com:3897    207.40.87.5:sunrpc      SYN_SENT
> tcp        0      1 raq.ncidata.com:3896    207.40.87.4:sunrpc      SYN_SENT
> tcp        0      1 raq.ncidata.com:3895    207.40.87.3:sunrpc      SYN_SENT
> tcp        0      1 raq.ncidata.com:3894    207.40.87.2:sunrpc      SYN_SENT
> tcp        0      1 raq.ncidata.com:3893    207.40.87.1:sunrpc      SYN_SENT
> tcp        0      1 raq.ncidata.com:3892    207.40.87.0:sunrpc      SYN_SENT
> tcp        0      1 raq.ncidata.com:3922    207.40.87.30:sunrpc     SYN_SENT
> tcp        0      1 raq.ncidata.com:3921    207.40.87.29:sunrpc     SYN_SENT
> tcp        0      1 raq.ncidata.com:3920    207.40.87.28:sunrpc     SYN_SENT
> tcp        0      1 raq.ncidata.com:3919    207.40.87.27:sunrpc     SYN_SENT
> tcp        0      1 raq.ncidata.com:3918    207.40.87.26:sunrpc     SY
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>

References:
- [cobalt-users] Hacked ??
  - From: Joe Lange

Prev by Date: Re: [cobalt-users] Analog where users can see it?
Next by Date: Re: [cobalt-users] Hacked ??
Previous by thread: [cobalt-users] Hacked ??
Next by thread: Re: [cobalt-users] Hacked ??

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index