[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] are these worm files?
- Subject: Re: [cobalt-security] are these worm files?
- From: "Tsukaeru.net" <webmaster@xxxxxxxxxxxx>
- Date: Mon, 26 Mar 2001 08:41:29 +0900
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I hade the same rootpack installed previously. And...finally lost root
access and had to reinstall the OS. As far as I know this attack is usually
through DNS..(Bind?) Do you have this running on your server?
Jason Frisch
----- Original Message -----
From: "Gossi The Dog" <gossi@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Monday, March 26, 2001 7:40 AM
Subject: Re: [cobalt-security] are these worm files?
>
>
> On Sat, 24 Mar 2001, Loryan Strant wrote:
>
> > Hi,
> >
> > I've just run Lionfind on my Cobalt RaQ4, and it says the following are
> > suspicious files:
> >
> > /usr/src/.puta/.1addr /usr/src/.puta/.1file /usr/src/.puta/.1proc
> > /usr/src/.puta/.1logz /usr/src/.puta/ /usr/src/.puta/ /usr/info/.t0rn/
> >
> > I find those a little odd too, so I'm wondering if I can delete this
whole
> > directory.
> > Does anyone have any suggestions?
> >
>
> T0rn rootkit. That box is owned. Either spend a loooot of time
> reinstalling binaries and cleaning up files, or reinstall the box.
>
> Either way, if you just sit on it you are asking for trouble.
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>