[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?
- Subject: Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?
- From: enrique <enriquevega@xxxxxxx>
- Date: Thu Jul 26 07:42:06 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
on 7/25/01 11:44 AM, flash22@xxxxxxx at flash22@xxxxxxx wrote:
> On Wed, 25 Jul 2001, enrique wrote:
>
>> My RaQ3 was recently hacked by Dwarf. I was notified by a change to an
> ...
>> 169.254.183.37 which seems to end up at blackhole.isi.edu.
>>
>> Now, I am have little knowledge of linux and would like to ask you folks if
>> I have a open relay hack. If so, can you tell me what I need to do to stop
>
> It has nothing to do with relays , that's email :)
Hmm, then I definitely have been hacked!
>
>> this? I have rebooted the box, but this ip address must be hardcoded
>> somewhere. Note that the xxx.xxx.xx.x is my ip address which I am not
>
> It's part of your configuration scripts then....
Ok, so how would I go about finding the script which sets up 169.254.183.37?
>
> Given you have a /16 netmask, i'd be suspiscous more than not ;)
I am very suspicious now! Can you tell me how to find the script which is
affected?
> no, first, drop the interface , that will delete the routes,
> but if it's there after reboot, it's in your machine's configuration or in
> a startup script somewhere and will come back after reboot, routes and
> interfaces are just stored in memory, they are setup at boot....
Ok, I'm willing to look, but I have no idea where to begin. Do I use some
type of grep command?
Thanks in advance. Without you folks, I would really be in a panic!
enrique