Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?

[enrique <enriquevega@xxxxxxx>]

on 7/28/01 8:57 AM, flash22@xxxxxxx at flash22@xxxxxxx wrote:

> On Fri, 27 Jul 2001, enrique wrote:
> 
>> on 7/27/01 1:38 PM, Curtis Ross at Curtis_Ross@xxxxxx wrote:
>> 
>>>> -----Original Message-----
>>>> From:     enriquevega@xxxxxxx@CPR
>>>> Sent:    Thursday, July 26, 2001 9:55 AM
>>>> To:    cobalt-users@xxxxxxxxxxxxxxx
>>>> Subject:    Re: [cobalt-users] [RaQ3] Kernel IP routing table
>>> HACKED?
>>> 
>>> <snip>
>>>>>> My RaQ3 was recently hacked by Dwarf. I was notified by a change to
>>> an...
>>>>> ... 
>>>>>> 169.254.183.37 which seems to end up at blackhole.isi.edu.
>>>>>> 
>>>> Hmm, then I definitely have been hacked!
>>> <snip>
>>> 
>>> I would check with you ISP and see if they are using that IP for
>>> hardware routing. It may not have any relationship with you being
>>> hacked.
>> 
>> I did, and they said 169.254.183.37 has nothing to do with their network. So
>> what can I do to find the script which loads this ip address during bootup?
> 
> ok, try this for a start
> 
> grep "169.254.183.37" /etc/rc.d/* /etc/rc.d/*/*
> 
> see what turns up....unfortunatly, it could be anywhere...

Ok, so here are the results:
[root@www admin]# grep "169.254.183.37" /etc/rc.d/* /etc/rc.d/*/*
grep: /etc/rc.d/init.d: Is a directory
grep: /etc/rc.d/rc0.d: Is a directory
grep: /etc/rc.d/rc1.d: Is a directory
grep: /etc/rc.d/rc2.d: Is a directory
grep: /etc/rc.d/rc3.d: Is a directory
grep: /etc/rc.d/rc4.d: Is a directory
grep: /etc/rc.d/rc5.d: Is a directory
grep: /etc/rc.d/rc6.d: Is a directory
grep: /etc/rc.d/rcN.d: Is a directory
grep: /etc/rc.d/rc3.d/S91atalk: No such file or directory

No files? And why would I get a listing for no such file/directory? I guess
this means there is no file with the ip address in /etc/rc.d? So where else
should I look?

> 
> also check you don't have a site configured for this address anywhere

Nope, at least not through the GUI.

Thank you for your help so far!

enrique