[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Help! The case of the disapearing remote

Subject: Re: [cobalt-users] Help! The case of the disapearing remote
From: Cobalter <nospam@xxxxxxxxxxxx>
Date: Wed Feb 13 19:48:02 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Ugh... Let's hope not. Actually this box WAS trashed not too long ago, butI've been TOLD it was cleaned/scraped/etc., and I have no reason to NOTbelieve the colo guys (other than the fact that my sites keep disappearing).

It has all the updates, etc., and I truly don't see any such suspect files(I've used both the binaries on the box and some I uploaded from a localsource to check ps, ls, netstat, find, etc...) Even the passwd file seemsto be in order.

Portscans from outside the box don't show anything out of the ordinary,either. Still, I'm willing to explore the idea of yet another #@$%^ hack.Anything else in particular I should be looking for?


Thanks again all!

I saw exactly the same problem on a RAQ4 some weeks ago. Unfortunately it
was caused by a hacker who was using the server to hack from there other
locations.

After analyzing the system I´ve found the following:

- sometimes (usually at night) a ps -ef  was showing a process trying to
make ssh connections to other hosts
- I´ve found several programs (assh  read  scan  start   targets      v
wroot  wu cl    sc    sssh  statdx  targets.txt  write  wscan  x2) in a
hidden directory
- the login program was modified and all passwords were being collected on a
file (can´t remember the name). Some other binaries like "write" were also
modified
- no records of the hacker activities were found at the system log files.
- /etc/passwd was modified to allow shell access to several accounts
- the system was listening on a non standard port for incoming ssh
connections from the hacker

My recommendation is to request a clean server to your provider (if you are
renting a dedicated) and migrate everything there. I´m sure many binaries
were modified and a fresh OS was needed.






_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

Follow-Ups:
- Re: [cobalt-users] Help! The case of the disapearing remote
  - From: Jeff Lasman

References:
- Re: [cobalt-users] Help! The case of the disapearing remote
  - From: Guibert Englebienne

Prev by Date: Re: [cobalt-users] Apache DNS lookups
Next by Date: Re: [cobalt-users] new users showing up in /etc/passwd but not the web interface and DNS
Previous by thread: Re: [cobalt-users] Help! The case of the disapearing remote
Next by thread: Re: [cobalt-users] Help! The case of the disapearing remote

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index