[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Hacked Cobalt Servers

Subject: RE: [cobalt-users] Hacked Cobalt Servers
From: "Tom Cameron" <tomcameron@xxxxxxxxxxxxxxx>
Date: Thu Apr 17 15:29:00 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

LMK is a trojan that modifies your 'ps' command and attempts to hide
processes. This check simply adds up the processes in the 'ps' command and
compares that with the real processes.

Unfortunately the two checks are run seconds appart and sometimes the
difference in the number of processes is not actually an indication of the
trojan but just a consequence of  new processes starting up on your machine
between the checks.

Run the check again several times to be certain that it is a constant
problem. On my Raq I get this warning about once every few months and it
always turns out to be a false alarm.

Tom

=> -----Original Message-----
=> From: cobalt-users-admin@xxxxxxxxxxxxxxx
=> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Chuck Lewis
=> Sent: Friday, 18 April 2003 5:07 AM
=> To: cobalt-users@xxxxxxxxxxxxxxx
=> Subject: RE: [cobalt-users] Hacked Cobalt Servers
=>
=>
=> Well chkroot got done running and I see the following:
=>
=> Checking `lkm'... You have     1 process hidden for readdir command
=> You have     1 process hidden for ps command
=> Warning: Possible LKM Trojan installed
=> Checking `rexedcs'... not found
=> Checking `sniffer'...
=> eth0 is PROMISC
=> ipsec0 is not promisc
=> Checking `wted'... nothing deleted
=> Checking `scalper'... not infected
=> Checking `slapper'... not infected
=> Checking `z2'...
=> nothing deleted
=>
=> So, do I have a problem ?
=>
=> Chuck
=>
=> -----Original Message-----
=> From: Kevin  Sent: Wednesday, April 16, 2003 1:36 PM
=>
=> >Just wondering if and how many other cobalt servers have been hacked
=> >lately, and if by the same group or person?
=>
=> >Mine was hacked last weekend by Blood Br. Dumped and reloaded from a cmu
=> >file. There probably was a better way to setup the DNS server, but I did
=> >it one at a time.
=>
=>
=> _____________________________________
=> cobalt-users mailing list
=> cobalt-users@xxxxxxxxxxxxxxx
=> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
=> http://list.cobalt.com/mailman/listinfo/cobalt-users
=>

Follow-Ups:
- RE: [cobalt-users] Hacked Cobalt Servers
  - From: Chuck Lewis

References:
- RE: [cobalt-users] Hacked Cobalt Servers
  - From: Chuck Lewis

Prev by Date: Re: [cobalt-users] thumbs up on Solarspeed.net
Next by Date: [cobalt-users] Is installing ODBC Driver to Raq server possible?
Previous by thread: RE: [cobalt-users] Hacked Cobalt Servers
Next by thread: RE: [cobalt-users] Hacked Cobalt Servers

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index