Re: [cobalt-users] Hacked Into

[SM <nntp@xxxxxxxxx>]

At 10:30 17-09-2001 +0100, almax@xxxxxxxxxxxxxxx wrote:
>Back from holiday, server hacked, oh joy.

>However, came in today and find that a 1.5gb file beautifulgirls.tar has
suddenly appeared once again in the web folder and another 1.3gb of
transfer has disappeared.  I suspect we are being used by a porn site who
are happy to have found a fast web server.  What worries me is that I have
applied every single security update from Cobalt as soon as they have come
out.

Adult sites take a lot of bandwidth.  The security updates from Cobalt are
only secures the default server configuration (no additional CGI scripts,
etc).

>Does anyone have any info that could help me, ie programs to make the
RaQ4i more secure.  I don't believe they have access to the server as
everything is just going to this one domain, which I have now removed from
the server and it will remain to be seen if files start appearing in the
other domains.  I do not know if there are ways to hack into the web domain
of the server and put the files in. 

Assuming that the logs have not be tampered with, have you checked them to
see how the files were uploaded to your server?  There are a bunch of log
files in /var/log which may provide you with access information.  If the
intruder gained access to one domain, it is best to assume that he/she had
access to the box (all domains hosted).  The person(s) are uploading files
over 1 GB and they would   use FTP for that.  You can track that through
the xferlog.  If the upload was done through "anonymous", this isn't a hack
but a server configuration issue.

>I am the only user on the whole of the RaQ and therefore, I do not believe
it is a case of an "inside job" or users on other domains somehow gaining
access.

Verify the login history to see whether all access were from your IP.

Regards,
-sm