[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Hacked Into
- Subject: Re: [cobalt-users] Hacked Into
- From: almax@xxxxxxxxxxxxxxx
- Date: Sun Sep 16 19:36:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Marco
The attacks appear to have come from 3 different IP's when we went through the server logs. I am now investigating how the file got in there.
Thanks
Simon
> Hi Simon,
> If the attacks come from the same IP al the time you should check how they
> get the files on your system, if it is via FTP, you can use the inetd
> service to block this particular address, therefore consult the man pages
> for the host.allow and host.deny files.
>
>
> le 17.9.2001 11:30, almax@xxxxxxxxxxxxxxx à almax@xxxxxxxxxxxxxxx a écrit :
>
> > Back from holiday, server hacked, oh joy.
> >
> > It appears that somebody randomly whoised a domain on one of our servers and
> > uploaded a 100mb file by the name of french-porn.dvd.divx.avi and then set
> > servers wgetting it, eating up 9gb of bandwidth in little over 8 hours.
> > Luckily this happened the day before I returned and so I managed to delete the
> > file, grab IP's from the server logs and as I thought, stop the leak.
> >
> > However, came in today and find that a 1.5gb file beautifulgirls.tar has
> > suddenly appeared once again in the web folder and another 1.3gb of transfer
> > has disappeared. I suspect we are being used by a porn site who are happy to
> > have found a fast web server. What worries me is that I have applied every
> > single security update from Cobalt as soon as they have come out.
> >
> > Does anyone have any info that could help me, ie programs to make the RaQ4i
> > more secure. I don't believe they have access to the server as everything is
> > just going to this one domain, which I have now removed from the server and it
> > will remain to be seen if files start appearing in the other domains. I do
> > not know if there are ways to hack into the web domain of the server and put
> > the files in.
> >
> > I am the only user on the whole of the RaQ and therefore, I do not believe it
> > is a case of an "inside job" or users on other domains somehow gaining access.
> >
> > Any help would be most appreciated.
> >
> > Thanks
> >
> > Simon
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To Subscribe or Unsubscribe, please go to:
> > <a href="/bti/redirect.html?http://list.cobalt.com/mailman/listinfo/cobalt-users"; target="newLink">http://list.cobalt.com/mailman/listinfo/cobalt-users</a>
>
> =======================================================================
>
> Marco Baurdoux
> Unix Administrator
> Infomaniak Network SA
> Avenue de la Praille 26
> 1227 Carouge
> Switzerland
> Tel: 41 (0)22 820 35 41
> Fax: 41 (0)22 820 35 46
> <a href="/bti/redirect.html?http://web.infomaniak.ch"; target="newLink">http://web.infomaniak.ch</a>
>
> =======================================================================
>
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> <a href="/bti/redirect.html?http://list.cobalt.com/mailman/listinfo/cobalt-users"; target="newLink">http://list.cobalt.com/mailman/listinfo/cobalt-users</a>