[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Raq4 Server hacked :'(
- Subject: Re: [cobalt-security] Raq4 Server hacked :'(
- From: "R. Hamburg .: HaVa Web- & Processdesign :." <user@xxxxxxx>
- Date: Wed, 24 Mar 2004 09:12:25 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
You really should unplug the box. Restore it and start over. NEVER ever use
this box now cause you have a very hard time to find out which has been
compromised and what not.
Very tricky.
----- Original Message -----
From: "James Zawacki" <jzawacki@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Wednesday, March 24, 2004 3:39 AM
Subject: [cobalt-security] Raq4 Server hacked :'(
> Ok.. I've been keeping up with patches.. and am up to date except for the
last pine patch on the 17th. But, one of my servers bounced 5 days ago. I
started looking into it, and found one of the web sites cgi-bin has a TON of
hacking scripts. CGI-Telnet server, irc bots, etc.
>
> And, there was a binary file that was this:
>
> Linux Kernel kmod.c modprobe ptrace vulnerability exploit
>
> Now, I'm trying to do clean up. What's the easiest way to determine if
root has been compromised, or just that user account for that web site?
>
> Thanks,
> James
>
>
>
>
> ---------------------------------------------------------------
> http://www.customlynx.com - Low cost web authoring and hosting!
> Get your FREE E-mail address or give them out! (culymail.com)
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>