[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] (no subject)
- Subject: Re: [cobalt-users] (no subject)
- From: Greg Hewitt-Long <cobaltusers@xxxxxxxxxxxxxxxxxxx>
- Date: Fri Sep 19 11:25:03 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
>Hi there
>
>I have just had a message from my server supplier that :-
>
>"After further investigations we have found your server to have been hacked, to protect the rest of our network we have taken your server off line. T
>
>We found these files to have been replaced on xxx.xxx.xxx.xxx.
>
>S.5..... /bin/netstat
>S.5..... /sbin/ifconfig
>S.5..... /usr/bin/pstree
>S.5..... /usr/bin/find
>SM5..... /bin/ps
>SM5..... /usr/bin/top
>S.5..UGT /usr/bin/ftpcount
>S.5..UGT /usr/bin/ftpwho
>S.5..UGT /usr/bin/ftpshut
>
>Furthermore, there's an IRC bot running on the server in /usr/man/manag and the source file is bhbp.tar.gz
>
>./shell.sh
>./bot1.up
>./lpdi sezam
>./clean "
>
>They are offering to rebuild the server for me - any ideas whether this is needed - I've tried several searches in Google for information on this to no avail.
You have little choice if you need to be 100% sure that your invaders have been removed completely.
Anything short of a complete rebuild will leave you with lingering doubts that they have installed one or many backdoors which have yet to be discovered yet....
Rebuild and kiss them good-bye...
regards
Greg Hewitt-Long
--
E-Commerce Software & Web Design Services. http://webyourbusiness.com
Reliable Web Hosting from $4.99/month - http://www.aaabusinesshosting.com/
Domain Registration from $13/year - http://aaabusinesshosting.com/domains/
TF: 1-877-416-8655 PH: (970) 266-0195 FAX: (970) 266-0158