[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Hacked - Ambient's Rootkit for Linux ?
- Subject: RE: [cobalt-users] Hacked - Ambient's Rootkit for Linux ?
- From: cobalt@xxxxxxxxxxxxx
- Date: Fri Nov 8 15:14:01 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
>>Hi all,
>>
>>I believe I have been hacked (well I'm sure, but I still have hope)
>>
>>chkrootkit returns:
>>
>>Checking `du'... INFECTED <CLIP>
>
>All those files have a time stamp of 3:40 pm of today????????
>Somebodies touched them.
>Ironicly, I am in the central time zone of the US and your email from 21:40
>came at 15:40
>You don't day what machine you have.
>My raq4r with all the updates has
>ls 50148 9/8/1999
>login 21672 6/20/2000
>these are from the /bin directory - does this tell you enough?
The server is in the UK (GMT) so the times are correct.
The server is a RaQ4i with all Cobalt Patches, except the security one that
caused problems.
I still have root access to the box, which allows me to at least make
current backups of Database stuff (phew)
Need to get a rebuild started once data is secured.
Is /var/log the only directory to backup if I wish to trace the hacker.. ??
F*!K%n B&*T... (Sorry my tolerance is low at the moment)
Has anyone got documentation on installing a Tripwire product on a RaQ4
(this is the only way I believe I could have stopped this one).
Thanks
Andy