[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] possible compromise

Subject: [cobalt-security] possible compromise
From: "Kevin D" <kdlists@xxxxxxxxxxxxxxx>
Date: Wed, 24 Jan 2001 11:11:04 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

I believe my Raq3i may have been compromised. At 2:39am this morning it
stopped responding, and my monitoring software reports a change in my
passwd, group, and shadow files. I did a quick audit of those files and
there are no additions.

I checked all of my logs which abruptly stop at 2:39am, and don't start
again until 9:49 (the time of reboot). I portscanned the server, to find no
additional open ports, and checked listening ports with netstat -l. So far,
so good. I also did a find for files with modified timestamps, and took a
quick look at those.

Is there anything else I should check to verify that nothing has been
compromised? Any advice as to where to go to figure out what the heck
happened?

Kevin

Follow-Ups:
- RE: [cobalt-security] possible compromise
  - From: malcolm wild

References:
- RE: [cobalt-security] Ramen Worm
  - From: Graeme Fowler
- Re: [cobalt-security] Ramen Worm
  - From: Mike Vanecek
- Re: [cobalt-security] cobalt factory usernames
  - From: Thomas Novin

Prev by Date: Re: [cobalt-security] cobalt factory usernames
Next by Date: RE: [cobalt-security] possible compromise
Previous by thread: Re: [cobalt-security] cobalt factory usernames
Next by thread: RE: [cobalt-security] possible compromise

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index