[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Re: [cobalt-users] ssh on port 44658???
- Subject: RE: [cobalt-security] Re: [cobalt-users] ssh on port 44658???
- From: Paul Gillingwater <paul@xxxxxxxxxxx>
- Date: Wed, 18 Apr 2001 07:50:29 +0200 (CEST)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Quoting Loryan Strant <cobalt-emails@xxxxxxxxxx>:
> I've found that "/usr/sbin/nscd" is the responsible program for that port
> being open. I don't know what that program is, as it is not found on our
> backup RaQ4 server (which mind you has a lot less updates and programs
> installed).
> I know that my server is now untrustworthy, but would it be a good idea
> to rename/delete this file in the meantime?
I'm sorry to tell you but this is very likely evidence of your system being
fully compromised by the t0rn rootkit. See http://www.sans.org/y2k/t0rn.htm
for more information. I strongly suggest a complete restore, although it is
possible to eliminate all the back doors if you spend time on it. Then you
need to apply the latest security patches from Cobalt, to remove the place
where the script kiddie got in (most likely the BIND bug, although WU-FTPD is
also a possibility.)
*********************************
Paul Gillingwater
Managing Director
CSO Lanifex Unternehmensberatung
& Softwareentwicklung G.m.b.H.
NEW BUSINESS CONCEPTS
E-mail: paul@xxxxxxxxxxx
Mobile: +43/699/1922 3085
Webhome: http://www.lanifex.com
Address: Praterstrasse 60/1/2
A-1020 Vienna, Austria
*********************************