[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Hacked Into
- Subject: Re: [cobalt-users] Hacked Into
- From: almax@xxxxxxxxxxxxxxx
- Date: Sun Sep 16 20:49:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Will check that now.
Thanks
Simon
> Are the three IP from the same class ??
> Carefully check your /var/log/xferlog
>
> more /var/log/xferlog | grep ip_address_to_search
> This will tell you if they came in via FTP
>
> more /var/log/messages |grep ip_address_to_search
> This will tell you if they used SSH or Telnet services to come in.
>
> All of this of course if they didn't erase the log files. Like I always do
> when I manage to get in :-)) ( but of course I never get in !!! )
>
>
> le 17.9.2001 12:20, almax@xxxxxxxxxxxxxxx à almax@xxxxxxxxxxxxxxx a écrit :
>
> >
> > Marco
> >
> > The attacks appear to have come from 3 different IP's when we went through the
> > server logs. I am now investigating how the file got in there.
> >
> > Thanks
> >
> > Simon
> >> Hi Simon,
> >> If the attacks come from the same IP al the time you should check how they
> >> get the files on your system, if it is via FTP, you can use the inetd
> >> service to block this particular address, therefore consult the man pages
> >> for the host.allow and host.deny files.
> >>
> >>
> >> le 17.9.2001 11:30, almax@xxxxxxxxxxxxxxx à almax@xxxxxxxxxxxxxxx a écrit :
> >>
> >>> Back from holiday, server hacked, oh joy.
> >>>
> >>> It appears that somebody randomly whoised a domain on one of our servers and
> >>> uploaded a 100mb file by the name of french-porn.dvd.divx.avi and then set
> >>> servers wgetting it, eating up 9gb of bandwidth in little over 8 hours.
> >>> Luckily this happened the day before I returned and so I managed to delete
> >>> the
> >>> file, grab IP's from the server logs and as I thought, stop the leak.
> >>>
> >>> However, came in today and find that a 1.5gb file beautifulgirls.tar has
> >>> suddenly appeared once again in the web folder and another 1.3gb of transfer
> >>> has disappeared. I suspect we are being used by a porn site who are happy
> >>> to
> >>> have found a fast web server. What worries me is that I have applied every
> >>> single security update from Cobalt as soon as they have come out.
> >>>
> >>> Does anyone have any info that could help me, ie programs to make the RaQ4i
> >>> more secure. I don't believe they have access to the server as everything
> >>> is
> >>> just going to this one domain, which I have now removed from the server and
> >>> it
> >>> will remain to be seen if files start appearing in the other domains. I do
> >>> not know if there are ways to hack into the web domain of the server and put
> >>> the files in.
> >>>
> >>> I am the only user on the whole of the RaQ and therefore, I do not believe
> >>> it
> >>> is a case of an "inside job" or users on other domains somehow gaining
> >>> access.
> >>>
> >>> Any help would be most appreciated.
> >>>
> >>> Thanks
> >>>
> >>> Simon
> >>>
> >>> _______________________________________________
> >>> cobalt-users mailing list
> >>> cobalt-users@xxxxxxxxxxxxxxx
> >>> To Subscribe or Unsubscribe, please go to:
> >>> <a
> >>> href="/bti/redirect.html?<a href="/bti/redirect.html?http://list.cobalt.com/mailman/listinfo/cobalt-user"; target="newLink">http://list.cobalt.com/mailman/listinfo/cobalt-user</a>
> >>> s" target="newLink"><a href="/bti/redirect.html?http://list.cobalt.com/mailman/listinfo/cobalt-users</a>" target="newLink">http://list.cobalt.com/mailman/listinfo/cobalt-users</a></a>
> >>
> >> =======================================================================
> >>
> >> Marco Baurdoux
> >> Unix Administrator
> >> Infomaniak Network SA
> >> Avenue de la Praille 26
> >> 1227 Carouge
> >> Switzerland
> >> Tel: 41 (0)22 820 35 41
> >> Fax: 41 (0)22 820 35 46
> >> <a href="/bti/redirect.html?<a href="/bti/redirect.html?http://web.infomaniak.ch""; target="newLink">http://web.infomaniak.ch";</a>
> >> target="newLink"><a href="/bti/redirect.html?http://web.infomaniak.ch</a>" target="newLink">http://web.infomaniak.ch</a></a>
> >>
> >> =======================================================================
> >>
> >>
> >>
> >> _______________________________________________
> >> cobalt-users mailing list
> >> cobalt-users@xxxxxxxxxxxxxxx
> >> To Subscribe or Unsubscribe, please go to:
> >> <a
> >> href="/bti/redirect.html?<a href="/bti/redirect.html?http://list.cobalt.com/mailman/listinfo/cobalt-users"; target="newLink">http://list.cobalt.com/mailman/listinfo/cobalt-users</a>
> >> " target="newLink"><a href="/bti/redirect.html?http://list.cobalt.com/mailman/listinfo/cobalt-users</a>" target="newLink">http://list.cobalt.com/mailman/listinfo/cobalt-users</a></a>
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To Subscribe or Unsubscribe, please go to:
> > <a href="/bti/redirect.html?http://list.cobalt.com/mailman/listinfo/cobalt-users"; target="newLink">http://list.cobalt.com/mailman/listinfo/cobalt-users</a>
>
> =======================================================================
>
> Marco Baurdoux
> Unix Administrator
> Infomaniak Network SA
> Avenue de la Praille 26
> 1227 Carouge
> Switzerland
> Tel: 41 (0)22 820 35 41
> Fax: 41 (0)22 820 35 46
> <a href="/bti/redirect.html?http://web.infomaniak.ch"; target="newLink">http://web.infomaniak.ch</a>
>
> =======================================================================
>
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> <a href="/bti/redirect.html?http://list.cobalt.com/mailman/listinfo/cobalt-users"; target="newLink">http://list.cobalt.com/mailman/listinfo/cobalt-users</a>