[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Help! The case of the disapearing remote
- Subject: Re: [cobalt-users] Help! The case of the disapearing remote
- From: "Guibert Englebienne" <guibert@xxxxxxxxxxxxxxxxxxx>
- Date: Wed Feb 13 17:51:03 2002
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
>>Regardless, the logs show that swatch and other cron programs are running
>>faithfully every 15 minutes during the outage, but absolutely NO network
>>traffic is measured. There is no record of the services shutting down or
>>restarting either -- the machine just stops answering. Dead silence for
>>almost an hour, and then suddenly, it shows up again, happy as a a clam
and
>>answering all its ports as normal.
I saw exactly the same problem on a RAQ4 some weeks ago. Unfortunately it
was caused by a hacker who was using the server to hack from there other
locations.
After analyzing the system I´ve found the following:
- sometimes (usually at night) a ps -ef was showing a process trying to
make ssh connections to other hosts
- I´ve found several programs (assh read scan start targets v
wroot wu cl sc sssh statdx targets.txt write wscan x2) in a
hidden directory
- the login program was modified and all passwords were being collected on a
file (can´t remember the name). Some other binaries like "write" were also
modified
- no records of the hacker activities were found at the system log files.
- /etc/passwd was modified to allow shell access to several accounts
- the system was listening on a non standard port for incoming ssh
connections from the hacker
My recommendation is to request a clean server to your provider (if you are
renting a dedicated) and migrate everything there. I´m sure many binaries
were modified and a fresh OS was needed.