[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Lost web interface w/ raq4
- Subject: Re: [cobalt-users] Lost web interface w/ raq4
- From: Jim Dory <engineer@xxxxxxxxxxxxx>
- Date: Wed Jun 5 16:34:00 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Gerald Waugh wrote:
[root /root]# dmesg | grep eth0
eth0: Invalid EEPROM checksum 0xc5f8, check settings before activating this
device!
eth0: Intel PCI EtherExpress Pro100 82559ER, 00:10:E0:02:18:B3, I/O at
0x6200, IRQ 11.
[root /root]# dmesg | grep eth1
eth1: Invalid EEPROM checksum 0x11f9, check settings before activating this
device!
eth1: Intel PCI EtherExpress Pro100 82559ER, 00:10:E0:02:19:FF, I/O at
0x6240, IRQ 10.
I checked sever RaQ4s and they all say the above
Thanks Gerald. I think the nic card is fine since it does everything
else. Good to know though that the above message is pretty standard.
I was thinking I was hacked (and may have been) because I tried
[./chkrootkit] and it returned a 'maybe a LKM worm'. But when I run it
again, I don't get that message. I ran [./chkrootkit -x | more] and get
lots of suspicious stuff with what looks like a user (%s) is doing bad
things. But I get the same messages on a couple other servers here too.
stufff like this:
[<snip>
/usr/share/locale
util-linux
chfn
%s: you (user %d) don't exist.
%s: user "%s" does not exist.
%s: can only change local entries; use yp%s instead.
Changing finger information for %s.
Password error.
Finger information not changed.
version
help<snip>]
so now I'm not sure if infected or not.
So at this point not sure what to do. Guess I need to make sure I've not
been hacked, and if not, get the Cobalt web gui back. And not sure why
the dhcp service crashed last night either, if not hack related. And if
hacked, I guess a complete restore. Lucky I have no users on this one
yet, except some file sharing stuff which I pulled today.
Cheers,
--
Jim D.