You really should unplug the box. Restore it and start over. NEVER ever use this box now cause you have a very hard time to find out which has been compromised and what not. Very tricky.
----- Original Message ----- From: "James Zawacki" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 24, 2004 3:39 AM Subject: [cobalt-security] Raq4 Server hacked :'( > Ok.. I've been keeping up with patches.. and am up to date except for the last pine patch on the 17th. But, one of my servers bounced 5 days ago. I started looking into it, and found one of the web sites cgi-bin has a TON of hacking scripts. CGI-Telnet server, irc bots, etc. > > And, there was a binary file that was this: > > Linux Kernel kmod.c modprobe ptrace vulnerability exploit > > Now, I'm trying to do clean up. What's the easiest way to determine if root has been compromised, or just that user account for that web site? > > Thanks, > James > > > > > --------------------------------------------------------------- > http://www.customlynx.com - Low cost web authoring and hosting! > Get your FREE E-mail address or give them out! (culymail.com) > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > > _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
