[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Server hacked were to find the Server logs
- Subject: Re: [cobalt-security] Server hacked were to find the Server logs
- From: "Robbert Hamburg" <rhamburg@xxxxxx>
- Date: Tue, 27 Feb 2001 18:10:01 +0100
- Organization: www.hava.nl
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Tuesday, February 27, 2001 2:03 PM John wrote:
> On Mon, Feb 26, 2001 at 09:23:57PM +0100, Robbert Hamburg wrote:
> > Hello,
> >
> > Tonight we had a server attack. We want to analyze the server logs.
[CUT NON USEFULL INFO]
> You would be well advised to have a security specialist look over the
> machine for you, to be sure that you are not trojaned in any way. It is
> most common that, unless this cracker was after one website, the intruder
> will have made a way to get back into the box easily. If the cracker is
> remotely skilled at all then lots of trojaned binaries could have replaced
> yours, and it will be hard to tell that there is anything up with the
> machine.
Me again,
I just found this in the log:
(dsl-64-32-17-3.hollywood.relaypoint.net[64.32.17.3]) - no such user
'anonym$
(dsl-64-32-17-3.hollywood.relaypoint.net[64.32.17.3]) - FTP session closed.
(dsl-64-32-17-3.hollywood.relaypoint.net[64.32.17.3]) - USER anonymous
(Logi$
(dsl-64-32-17-3.hollywood.relaypoint.net[64.32.17.3]) - USER anonymous
(Login fai$
there were more entries of this just before the server went down. Is there
anyway to make use of this information ???
Robbert Hamburg
"Reality is that which, when you stop believing in it, doesn't go away."