[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?
- Subject: Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?
- From: flash22@xxxxxxx
- Date: Sat Jul 28 00:18:26 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Fri, 27 Jul 2001, enrique wrote:
> on 7/27/01 1:38 PM, Curtis Ross at Curtis_Ross@xxxxxx wrote:
>
> >> -----Original Message-----
> >> From: enriquevega@xxxxxxx@CPR
> >> Sent: Thursday, July 26, 2001 9:55 AM
> >> To: cobalt-users@xxxxxxxxxxxxxxx
> >> Subject: Re: [cobalt-users] [RaQ3] Kernel IP routing table
> > HACKED?
> >
> > <snip>
> >>>> My RaQ3 was recently hacked by Dwarf. I was notified by a change to
> > an...
> >>> ...
> >>>> 169.254.183.37 which seems to end up at blackhole.isi.edu.
> >>>>
> >> Hmm, then I definitely have been hacked!
> > <snip>
> >
> > I would check with you ISP and see if they are using that IP for
> > hardware routing. It may not have any relationship with you being
> > hacked.
>
> I did, and they said 169.254.183.37 has nothing to do with their network. So
> what can I do to find the script which loads this ip address during bootup?
ok, try this for a start
grep "169.254.183.37" /etc/rc.d/* /etc/rc.d/*/*
see what turns up....unfortunatly, it could be anywhere...
also check you don't have a site configured for this address anywhere
gsh