[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Re: My Server has been hacked
- Subject: [cobalt-users] Re: My Server has been hacked
- From: Richard Proctor <Richard@xxxxxxxxxxx>
- Date: Mon Mar 10 07:39:50 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
> Hello Richard,
>
> What makes you think that your system is hacked? Port 6662 is for Internet
> Relay Chat (IRC). Have you checked remaining space on your partitions?
Absoloutly certain of it (about 25 years ago I was a hacker). 6662 was not
open before, and is now open with a modified version of ssh which does not
show up in the system versions of ps or netstat. Port 22 is now closed
(normal SSH), as are a couple of specials that would normally be open. The
system is dotted with files that have been modified at about 11:30 on the 6th
along with dubious files like a .sushi at the top level. A search of google
when I saw that file was all I need. Remaining space - about normal. The
hack came from an ip address of 61.221.84.38 which is in china.
> What Firewalls (IPchains, Portsentry, etc) installed. I think you can
> access the logs at /var/log/ and tail them with admin.
It has a basic firewall installed, but nothing special setup. I can access
the logs. I am most suspisious of the mail log which is empty, even though
I know mail is being processed.
> Need to know more info from the logs. Plus have you installed the latest
> SSH from pkgmaster.com?
No its a pretty much a standard build as of a year ago when I leased it.
I now know I should have installed some patches, but ...
>
> aljuhani@xxxxxxxxx
Richard
--
Personal Richard@xxxxxxxxxxx http://www.waveney.org
Telecoms Richard@xxxxxxxxxxxxxxxxxxxxx http://www.WaveneyConsulting.com
Web services Richard@xxxxxxxxxxx http://www.wavwebs.com
Independent Telecomms Specialist, ATM expert, Web Analyst & Services