[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] [RaQ3] Cracked ?

Subject: RE: [cobalt-users] [RaQ3] Cracked ?
From: "Peter Masloch" <peter@xxxxxxxxxxx>
Date: Sat Jul 6 17:07:00 2002
Organization: EasyniX Consulting
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Netbus and Trinoo....2 nice backdoors on your server.
I hope it is not a production server....then you
should take it offline.
Peter


> Hi again folks,  jsut got home from our short July 4 vacation 
> eager to get back on my primary development machines and 
> delve deeper into solving the problems we've been 
> experiencing in the last week.  I noticed right away upon 
> getting in that the server was down again.  I figured I'd do 
> a quick portscan, something I've been meaning to do the last 
> couple of days since installing ipchains and the pmfirewall.  
> So, the first portscan shows this:
> 
> Port       State       Service
> 22/tcp     open        ssh
> 25/tcp     open        smtp
> 53/tcp     open        domain
> 80/tcp     open        http
> 81/tcp     open        hosts2-ns
> 110/tcp    open        pop-3
> 137/tcp    filtered    unknown
> 138/tcp    filtered    unknown
> 139/tcp    filtered    unknown
> 443/tcp    open        unknown
> 444/tcp    open        unknown
> 3306/tcp   open        unknown
> 
> Not too bad I guess, I then noticed that all of our services 
> were hung, again, ssh, httpd, all stuck.  So, I reboot 
> successfully via our new reboot switch and then ssh in and 
> turn on our pmfirewall.  I run another quick portscan and now 
> it show this:
> 
> Port       State       Service
> 22/tcp     open        ssh
> 25/tcp     open        smtp
> 53/tcp     open        domain
> 80/tcp     open        http
> 81/tcp     open        hosts2-ns
> 110/tcp    open        pop-3
> 137/tcp    filtered    unknown
> 138/tcp    filtered    unknown
> 139/tcp    filtered    unknown
> 443/tcp    open        unknown
> 444/tcp    open        unknown
> 1524/tcp   filtered    unknown
> 3306/tcp   open        unknown
> 12345/tcp  filtered    NetBus
> 12346/tcp  filtered    NetBus
> 27665/tcp  filtered    Trinoo_Master
> 31337/tcp  filtered    Elite
> 
> Did I just enable some crackers software with my reboot?  I 
> downloaded the latest chkrootkit and it shows server as fine. 
>  Would the firewall cause false positives for some reason?  
> Am I obviously and officially screwed as far as this server 
> is concerned now?  Thanks...
> 
> 8(  Brad
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to: 
> http://list.cobalt.com/mailman/listinfo/cobalt> -users
> 
>

Follow-Ups:
- RE: [cobalt-users] [RaQ3] Cracked ?
  - From: Bradley Caricofe

References:
- [cobalt-users] [RaQ3] Cracked ?
  - From: Bradley Caricofe

Prev by Date: RE: [cobalt-users] Installing OS update 6.4 on Qube 3
Next by Date: RE: [cobalt-users] [RaQ3] Cracked ?
Previous by thread: RE: [cobalt-users] [RaQ3] Cracked ?
Next by thread: RE: [cobalt-users] [RaQ3] Cracked ?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index