[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] PPP line discipline registered ?
- Subject: Re: [cobalt-security] PPP line discipline registered ?
- From: Eugene Crosser <crosser@xxxxxxxxxxx>
- Date: 26 Mar 2003 22:50:35 +0300
- Organization:
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Wed, 2003-03-26 at 22:45, Gerald Waugh wrote:
> On Wednesday 26 March 2003 14:14, Gerald Waugh wrote:
> > On Wednesday 26 March 2003 13:47, Gerald Waugh wrote:
> > > We have a client's RaQ3i
> > > That stops at "Checking Disk"
> > >
> > > The serial console also hangs here!
> > >
> > > CSLIP: code copyright 1989 Regents of the University of California
> > > PPP: version 2.3.7 (demand dialling)
> > > PPP line discipline registered.
> > > device eth0 entered promiscuous mode
> > >
> > > I don't recall seeing this on other systems!
> > > I pulled the drive and ran fsck, OK!
> > > Is this normal, or has the server been hacked?
> >
> > BTW its a RaQ4
> > Also noticed, recent
> > /boot/config-2.4.8-26mdk Mar 26
> > /boot/vmlinux-2.4.8-26mdk Mar 26
> > Are they normal?
>
> NO they are not normal!!!
> looks like someone tried to install a new kernel.
> I wonder if the client did that?
... having got root access for that... with ptrace exploit maybe?
try to match `last' output with the modification times of the files.
Eugene