[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] possible compromise
- Subject: [cobalt-security] possible compromise
- From: "Kevin D" <kdlists@xxxxxxxxxxxxxxx>
- Date: Wed, 24 Jan 2001 11:11:04 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I believe my Raq3i may have been compromised. At 2:39am this morning it
stopped responding, and my monitoring software reports a change in my
passwd, group, and shadow files. I did a quick audit of those files and
there are no additions.
I checked all of my logs which abruptly stop at 2:39am, and don't start
again until 9:49 (the time of reboot). I portscanned the server, to find no
additional open ports, and checked listening ports with netstat -l. So far,
so good. I also did a find for files with modified timestamps, and took a
quick look at those.
Is there anything else I should check to verify that nothing has been
compromised? Any advice as to where to go to figure out what the heck
happened?
Kevin