[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Unauthorized httpd.conf changes.

Subject: Re: [cobalt-security] Unauthorized httpd.conf changes.
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Mon, 1 Apr 2002 17:58:44 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

"Mike Dickinson" <mdickinson@xxxxxxxxxxxxxxxxxxxx> wrote:
> Over the last week, I have been experiencing weird symptoms on my RAQ3i
> in regards to the httpd.conf and log files. First off Cobalt will not
> help me because we have installed a RAQ4 OS on a RAQ3i.. (I know that is
> a NO NO.)
>
> What I am seeing happening is that the httpd.conf file is being written
> to by an unauthorized service or individual on a nightly basis.

What are the permissions and ownership on httpd.conf on your box?  Is Apache
being restarted as well?  Does it always occur at the same time?  If so,
have you checked to see if any cron jobs are running at that time and if
logs report any activity then?  You may want to install lsof and run it and
netstat every minute (or even every second) writing to a text file so you
can see what's occuring.

> The a's
> are being changed to d's and the e's are being changed to d's.
> Completely bizarre!

Have you run a rootkit detector like chkrootkit?  Do you have a security
solution in place, unnecessary services like telnet shutdown, latest Cobalt
upgrades installed, etc.?

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

References:
- [cobalt-security] Unauthorized httpd.conf changes.
  - From: Mike Dickinson

Prev by Date: Re: [cobalt-security] gmon.out a security issue?
Next by Date: Re: [cobalt-security] Blocking mail from ip/domain name etc.
Previous by thread: [cobalt-security] Unauthorized httpd.conf changes.
Next by thread: [cobalt-security] Blocking Emails

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index