Hi there !
We got an e-mail today from our CoLo (UK2.net) that our RaQ3 had been hacked. The port
15000
would be open as a result of this hack. It further says that aprox. 20 files had been
changed and
we were urgently requested to apply an .pkg to repair those files.
Since I dare to fix things before they break, I tried to figure out and find some
traces of the exploit.
I couldn't find a foreign thing in .bash_history. We don't have a
'/lib/security/.config like someone
wrote. I tried: 'telnet xxx.xxx.xxx.xxx 15000' and got 'Unable to connect' which tells
me that port 15000
is not open. Furthermore, everything is running smoothly: apache, ssh, e-mail and
'/usr/sbin/ndc status' prints out version bind-8.2.3
Can someone please give some hints and save me from a heart attack ?
How could I detect this hack ?
Thanx
Thomas
--
InternAd.de
Internet Advertising
Thomas Prosi
[EMAIL PROTECTED]
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
