[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Help needed

Subject: RE: [cobalt-users] Help needed
From: "Andy Brown" <andy.brown@xxxxxxxxxxxxx>
Date: Mon Jul 1 07:30:00 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

<snip>
> There have been worms placed in my server recently.
> After clearing my LPD worm yesterday, I saw this today.
> Checking `lkm'... You have     5 process hidden for readdir command
> You have     5 process hidden for ps command
> Warning: Possible LKM Trojan installed
> I would like to know how do i fix this problem of mine from future
> attacks/worms.
</snip>

As Eddy suggests, kill the machine off. Do an O/S restore from the restore CD on the machine, which performs an FDISK and format of the partitions, as you don't know how deep the attack has actually gone.
It may have replaced /bin/bash with its own, it may have replaced /usr/sbin/httpd who knows!!

As for ANY breach, format and start again, learning from the mistake of not hardening/securing the machine.

After rebuilding, apply every cobalt patch, disable telnet and install SSH, install port scanning tools (such as portsentry) and use ipchains firewall rules.

Do a few searches on the lists here and you'll get information on all of the tools i've mentioned, how to install, etc, etc.

Regards,

Andy
andy@xxxxxxxxxxxxxxx
http://www.raqpak.com/ <-- Raq/Qube unofficial PKGs and support advice

Prev by Date: Re: [cobalt-users] Quota Problems?
Next by Date: RE: [cobalt-users] I give up
Previous by thread: Re: [cobalt-users] Help needed
Next by thread: [cobalt-users] How to install?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index