[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Hack after restore
- Subject: Re: [cobalt-security] Hack after restore
- From: "Dogsbody" <dan@xxxxxxxxxxxx>
- Date: Mon, 22 Oct 2001 13:10:22 +0100 (BST)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Paul,
Do a search on Yahoo for 'mon.out' this may help. The one's that jumped out
at me were...
http://www.cfm.brown.edu/tutorials/profile.html
...and...
http://www.cs.princeton.edu/cgi-bin/man2html?prof:1
...although there are others.
Regards
Dan
dan@xxxxxxxxxxxx
http://www.dogsbody.org
> Clear Day
>
> I was hacked on my server. I am now using SSH and have disabled
> Telnet. All security patches are installed.
>
> When hacked I was advised to Export all the Sites, use the restore disk
> and Import all the sites back again.
>
> Since then I am having trouble with just one domain on site4. The
> index.html page was removed mysteriously and all the site permissions
> had been changed resulting in server errors for the scripts. On
> investigation I find that there was this entry in the FTP log after the
> restore:
> /home/sites/site4/web/DWDDXX8.DDD
> although that file is no longer there.
>
> On the root directory was a file called:
> mon.out
> I have kept a copy of this file, which looks like an executable file.
>
> Has anyone come across any of these files?
>
> Can someone tell me where to look for any intrusion as I am not
> familiar with using Shell commands.
>
> Thanks
>
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security