[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] February Hack Update

Subject: Re: [cobalt-security] February Hack Update
From: "Marc Gear" <marcg@xxxxxxxxxxxxxx>
Date: Mon, 5 Mar 2001 10:24:48 -0000
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> Advice: Check for the ""/usr/sbin/init" file, check your crontab entries
and
> check what processes are running. Look for an "init" process other than
that
> found at PID1 using "ps -ax".

> Advice: Check for "usr/sbin/cronlogd",  check the "/etc/rc.d/rc.sysinit"
> file has not been tampered with and what processes are running using
> "ps -ax".

> Advice: check what ports you have open using
> netstat -ap | grep "*:*"

My advise would be to blank the box and start from scratch.
most rootkits install trojaned versions of _at least_ ps and netstat
you are likley opening up more holes to your attacker than you did before by
running those files.

Once you reinstall, I suggest something like tripwire (www.tripwire.org) to
ensure the integrity of your system binaries.
--
Marc

Follow-Ups:
- Re: [cobalt-security] February Hack Update
  - From: Kevin D

References:
- Re: [cobalt-security] Qube 3 and VPN...
  - From: Gossi The Dog
- [cobalt-security] February Hack Update
  - From: Lawrence Frewin of Accommodation.com

Prev by Date: [cobalt-security] February Hack Update
Next by Date: RE: [cobalt-security] HACK on RAQ3i
Previous by thread: [cobalt-security] February Hack Update
Next by thread: Re: [cobalt-security] February Hack Update

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index