[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Another Raq3 Hack

Subject: RE: [cobalt-security] Another Raq3 Hack
From: "David Conorozzo" <davidc@xxxxxxxxxxxxxxxxx>
Date: Thu, 15 Feb 2001 09:43:18 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

I had 2 hacks... they both had that.  On one box that pid was dead, on the other it was active.  One box was a 4r and the other a 3i.  They were both completely different hacks.

David Conorozzo
PC Assistance, Inc.


>>> "Tony" <isplists@xxxxxxxxxxxx> 02/15/01 02:18AM >>>
++Raq3 with all Patches:
+
+Ran Chkrootkit and got 
+
+Checking `netstat'... INFECTED
+
+in.smb was enabled in inetd.conf
+
+Both init and in.smb in /usr/sbin had the same time stamp.
+
+Is it possible to plug this up without flattening the box? 

Also found this on this Raq and not on any others:

/root/.la.pid

Anyone have any idea which process la is? 

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx 
http://list.cobalt.com/mailman/listinfo/cobalt-security

Follow-Ups:
- [cobalt-security] [RaQ3i] Raq3 PortHack, port 111
  - From: Theodore Jones

Prev by Date: [cobalt-security] RAQ2 Bind 8.2.3 patch won't install
Next by Date: [cobalt-security] RAQ2 BIND update
Previous by thread: RE: [cobalt-security] Another Raq3 Hack
Next by thread: [cobalt-security] [RaQ3i] Raq3 PortHack, port 111

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index