[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Hack after restore

Subject: [cobalt-security] Hack after restore
From: "Paul Harvey" <paul@xxxxxxxxxxxxx>
Date: Mon, 22 Oct 2001 12:36:19 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Clear Day

I was hacked on my server.  I am now using SSH and have disabled Telnet.
All security patches are installed.

When hacked I was advised to Export all the Sites, use the restore disk and
Import all the sites back again.

Since then I am having trouble with just one domain on site4.  The
index.html page was removed mysteriously and all the site permissions had
been changed resulting in server errors for the scripts.  On investigation I
find that there was this entry in the FTP log after the restore:
/home/sites/site4/web/DWDDXX8.DDD
although that file is no longer there.

On the root directory was a file called:
mon.out
I have kept a copy of this file, which looks like an executable file.

Has anyone come across any of these files?

Can someone tell me where to look for any intrusion as I am not familiar
with using Shell commands.

Thanks

Follow-Ups:
- Re: [cobalt-security] Hack after restore
  - From: Dogsbody

Prev by Date: Re: [cobalt-security] qpopper - Illegal seek
Next by Date: [cobalt-security] Is my server being used for spam?
Previous by thread: Re: [cobalt-security] qpopper - Illegal seek
Next by thread: Re: [cobalt-security] Hack after restore

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index