[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Signs That Your System May Have Been Compromised

Subject: RE: [cobalt-users] Signs That Your System May Have Been Compromised
From: "Dan Kriwitsky" <webhosting@xxxxxxxxx>
Date: Sun Aug 12 20:32:01 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> Dan, thanks for the input, but I have to tell you that I've spent the
> last three weeks reading the archives. The archive is what sent me to
> cert.org, and made me start looking into the directions they gave to
> find out if I'd been compromised. As far as I know, there is nothing in
> the archives about using the command "find / -user root -perm -4000
> -print"
>
> Can you give any guidance on this issue? Below are the files which were
> returned by giving the above command:
>

I would try to find any *.pl or *.cgi on the server calling that. It's
possible someone has an insecure script running would be my guess, rather
than someone getting access some other way. If they had root access I think
they would have probably done more than just defaced a web page.

--
Dan Kriwitsky

References:
- Re: [cobalt-users] Signs That Your System May Have Been Compromised
  - From: enrique

Prev by Date: [cobalt-users] [Qube2] Snort compilation problem
Next by Date: RE: [cobalt-users] [Raq3] Problems with Formmail Script
Previous by thread: Re: [cobalt-users] Signs That Your System May Have Been Compromised
Next by thread: RE: [cobalt-users] Signs That Your System May Have Been Compromised

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index