[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?

Subject: Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?
From: enrique <enriquevega@xxxxxxx>
Date: Sat Jul 28 02:26:57 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

on 7/28/01 8:57 AM, flash22@xxxxxxx at flash22@xxxxxxx wrote:

> On Fri, 27 Jul 2001, enrique wrote:
> 
>> on 7/27/01 1:38 PM, Curtis Ross at Curtis_Ross@xxxxxx wrote:
>> 
>>>> -----Original Message-----
>>>> From:     enriquevega@xxxxxxx@CPR
>>>> Sent:    Thursday, July 26, 2001 9:55 AM
>>>> To:    cobalt-users@xxxxxxxxxxxxxxx
>>>> Subject:    Re: [cobalt-users] [RaQ3] Kernel IP routing table
>>> HACKED?
>>> 
>>> <snip>
>>>>>> My RaQ3 was recently hacked by Dwarf. I was notified by a change to
>>> an...
>>>>> ... 
>>>>>> 169.254.183.37 which seems to end up at blackhole.isi.edu.
>>>>>> 
>>>> Hmm, then I definitely have been hacked!
>>> <snip>
>>> 
>>> I would check with you ISP and see if they are using that IP for
>>> hardware routing. It may not have any relationship with you being
>>> hacked.
>> 
>> I did, and they said 169.254.183.37 has nothing to do with their network. So
>> what can I do to find the script which loads this ip address during bootup?
> 
> ok, try this for a start
> 
> grep "169.254.183.37" /etc/rc.d/* /etc/rc.d/*/*
> 
> see what turns up....unfortunatly, it could be anywhere...

[root@www admin]# grep -r "169.254.183.37" /etc/
grep: /etc/rc.d/rc3.d/S91atalk: No such file or directory
/etc/mail/access:169.254.183.37 550 Mail rejected due to possible SPAM
Binary file /etc/mail/access.db matches
/etc/sysconfig/network-scripts/ifcfg-eth0:0:IPADDR=169.254.183.37

Ok, so when I look at /etc/sysconfig/network-scripts/ifcfg-eth0:0 I get the
following:

DEVICE=eth0:0
IPADDR=169.254.183.37
NETMASK=255.255.0.0
NETWORK=169.254.0.0
BROADCAST=169.254.255.255
ONBOOT=yes
ALIAS=yes
BOOTPROTO=none

Looks like this may be the file which sets the route during boot. Do I
simply delete this file?

I also wonder if I need to delete it from access.db, but since it is a
binary file, I'm not sure how to view/edit this file. I've used emacs in the
past, but doesn't seem to work with binary files. Any suggestions will be
greatly appreciated.

enrique

Follow-Ups:
- Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?
  - From: flash22

References:
- Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?
  - From: flash22

Prev by Date: Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?
Next by Date: [cobalt-users] Re: Additional Nameservers
Previous by thread: Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?
Next by thread: Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index