[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] I've been hacked -- now what do I do?
- Subject: Re: [cobalt-security] I've been hacked -- now what do I do?
- From: Damian Gerow <dgerow@xxxxxxxxxxx>
- Date: Tue, 7 Nov 2000 09:13:49 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Keep in mind that if one trojan is on the system, there's nothing stopping the cracker from putting on another. In my opinion, the machine is pretty much untrustable at this point, and requires a re-install, or going through a database of known file fingerprints/sizes and comparing them to every file on the system.
On Monday, November 6, 2000, at 04:04 PM, Gossi The Dog wrote:
>
>
> On Mon, 6 Nov 2000, Chris Maxwell, WDSL Inc. wrote:
>
> > Hello Steve,
> >
> > Why don't you just go into the /etc/rc#.d directories, and run
> >
> > grep nothing * |more
>
> It might be started elsewhere though, remember.
>
> Probably worth doing locate nothing, finding the binary, running "strings"
> on it and generally seeing if it looks sus.
>
> All the Cobalt RPMS are available from ftp.cobaltnet.com (which is running
> exploitable proftpd I might mention, as is ftp.cobalt.com, and the rest of
> the Cobalt network), if you want to reinstall the key system compontents.
> You'll need to reapply the OS3 update and security updates afterwords,
> however.
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>