[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] raq4s still vulnerable to slapper worm??
- Subject: Re: [cobalt-users] raq4s still vulnerable to slapper worm??
- From: "PageKeeper Service" <host@xxxxxxxxxxxxxxxxxxxxx>
- Date: Mon Aug 4 02:46:02 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
----- Original Message -----
Subject: Re: [cobalt-users] raq4s still vulnerable to slapper worm??
>
> > > > it certainly looks like the slapper worm.
> > > >
> > > [snip]
> > > > Am I just panicking needlessly? (I sure hope so!)
> > > or
> > > > is every last raq4 still open to this old worm?
> > > >
> > > > what are people doing to get around it? how to get
> > > rid
> > > > of it and clean up?
> > > >
> > >
> >
>
> have you got Chiliasp running? i know that the ASP engine sometimes binds
> itself to the ports Chkrootkit checks for Slapper coming up with the false
> postive.
>
> andy
Yes its running. Sometimes a bit too much..
I have seen caspd run away on many a RAQ4 when the machine is not booted via
the UI or command line correctly.
(like when the front panel button is used. I find myself rebooting again via
shell or UI to cure this problem.)
A real cpu smoker if not caught quickly.. It lets you do something, waits,
then caspd runs away with the cpu!
Try that at or after 4:02am and one may have some log rotation problems..
I'm testing a little perl script to snapshot the /home/tmp contents via e
mail just for grins..
..as the tmp dir contents seem to change quite a bit.. be nice to roughly
know when and what is going on at times..
I found one big CGItemp<pid> file (Binary) hogging up space for no apparent
reason and 4-5 of the same copies of weird
e mail ones from someone on mars via yahoo. weird? lol. I'm guessing [root
tmp]# rm <filename> is my friend.
David
PageKeeper Service
1512 Deborah Road #102
Rio Rancho, New Mexico 87124 US
505-892-8723
http://www.pagekeeperservice.com