[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Re: My Server has been hacked

Subject: RE: [cobalt-users] Re: My Server has been hacked
From: aljuhani <aljuhani@xxxxxxxxx>
Date: Mon Mar 10 08:13:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Hello Richard,

What the /var/log/auth shows.  May be it is some kind of port attack.  
Actually you can assign any un-used port for SSH access.  I use port 52 for 
SSH but I guess since your SSH is using (6000+ port) which are not normally 
open, made the hacker think that your system has a backdoor so he launched the 
attacks.

Hope that your SSH is not the Trojaned version that were available from the 
openssh website. Check this link:
http://list.cobalt.com/pipermail/cobalt-users/2002-August/075507.html

OK now why not install the latest SSH from pkgmaster.com.

aljuhani@xxxxxxxxx

>===== Original Message From cobalt-users@xxxxxxxxxxxxxxx =====
>> Hello Richard,
>>
>> What makes you think that your system is hacked? Port 6662 is for Internet
>> Relay Chat (IRC).  Have you checked remaining space  on your partitions?
>
>Absoloutly certain of it (about 25 years ago I was a hacker).  6662 was not
>open before, and is now open with a modified version of ssh which does not
>show up in the system versions of ps or netstat.  Port 22 is now closed
>(normal SSH), as are a couple of specials that would normally be open.  The
>system is dotted with files that have been modified at about 11:30 on the 6th
>along with dubious files like a .sushi at the top level.  A  search of google
>when I saw that file was all I need. Remaining space - about normal.  The
>hack came from an ip address of 61.221.84.38 which is in china.
>
>> What Firewalls (IPchains, Portsentry, etc) installed.  I think you can
>> access  the logs at /var/log/ and tail them with admin.
>
>It has a basic firewall installed, but nothing special setup.  I can access
>the logs.  I am most suspisious of the mail log which is empty, even though
>I know mail is being processed.
>
>> Need to know more info from the logs.  Plus have you installed the latest
>> SSH  from pkgmaster.com?
>
>No its a pretty much a standard build as of a year ago when I leased it.
>I now know I should have installed some patches, but ...
>
>>
>> aljuhani@xxxxxxxxx
>
>Richard
>

Prev by Date: Re: [cobalt-users] Raq550: Port Scans - need help
Next by Date: Re: [cobalt-users] MailScanner and SpamAssassin RAQ550
Previous by thread: [cobalt-users] Re: My Server has been hacked
Next by thread: [cobalt-users] Cobalt system security - compromized???

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index