[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] February Hack Update
- Subject: Re: [cobalt-security] February Hack Update
- From: "Marc Gear" <marcg@xxxxxxxxxxxxxx>
- Date: Mon, 5 Mar 2001 10:24:48 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> Advice: Check for the ""/usr/sbin/init" file, check your crontab entries
and
> check what processes are running. Look for an "init" process other than
that
> found at PID1 using "ps -ax".
> Advice: Check for "usr/sbin/cronlogd", check the "/etc/rc.d/rc.sysinit"
> file has not been tampered with and what processes are running using
> "ps -ax".
> Advice: check what ports you have open using
> netstat -ap | grep "*:*"
My advise would be to blank the box and start from scratch.
most rootkits install trojaned versions of _at least_ ps and netstat
you are likley opening up more holes to your attacker than you did before by
running those files.
Once you reinstall, I suggest something like tripwire (www.tripwire.org) to
ensure the integrity of your system binaries.
--
Marc