Well, I was able to track down the point of intrusion. Unfortunatly, they used an exploit in a cgi script that was discovered in April of last year which allowed them to write files to the local site. Then, allowing them to install php and cgi scripts for telnet, irc, etc. The ptrace exploit was there, but not successful. I did file versions and time/date comparisons on 2 of my other servers (uncompromised) and everything appears to be fine. Looks like they were only able to get into the one site. I'm still going to migrate all the sites onto another box, and then rebuild, but at least I don't have to worry or rush to get them moved as fast.
Thanks, James Zawacki The following message was sent by Dmitry Alexeyev <[EMAIL PROTECTED]> on Wed, 24 Mar 2004 13:59:35 +0300. > Sun has never made this patch for RAQ3, but they did for RAQ4. > > Check http://www.cobaltsupport.com , there's patched kernel for RAQ3 > (backported patch from RAQ4 kernel - 3 lines of code...) and UPDATE. > > That's first thing you have to do (and all other RAQ3 owners as well). > > Next step is check for rootkits etc. CobaltSupport also can help you > with that. > > WBR, > Dmitry --------------------------------------------------------------- http://www.customlynx.com - Low cost web authoring and hosting! Get your FREE E-mail address or give them out! (culymail.com) _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
