The first strange thing I found was an e-mail from root as: swatch_service_body_ahttp
Then I got this message: I had a directory on the home volume that I did not create. ------------------ cain is very near or over the disk space limit allocated on the Cobalt server. Once the quota limit is reached, no more data can be stored. Consider moving some data to another location or increasing the limit. Quota Limit: 0.00 MB Quota Used: 1.29 MB Percent Used: 129 % ------------------- Then I got this: The total sites usage is around 507Mb. ------------------- is getting very close to full. This is very dangerous for the server and can cause unexpected errors to occur. You either need to move some files to another storage device and delete them from the Cobalt server or delete them altogether. Consult the documentation for help adding storage to your Cobalt server. Total disk space: 17259.48 MB Free disk space: 539.51 MB Percent Used: 96 % ------------------------------ I looked at the tmp file and found this entry: ---x--x--x 1 webmaster root 15168 Sep 17 18.23 SDI-proftp ------------------------------- I then exported all the sites and got out the restore disk. I am not an expert on hacking and can only make assumptions unless I can get help. Thanks for your interest. Paul Harvey ----- Original Message ----- From: "Michael Stauber" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, September 29, 2001 4:30 PM Subject: Re: [cobalt-security] Hacked by SDI linux remote exploit for ProFTP > Hi Paul, > > > I could not find a direct e-mail to tell Sun/Cobalt about my hack. > > Although I have all the security patches in place, including the 'Security: > > proftpd Update 1.0.1' they got in using 'SDI linux remote exploit for > > ProFTP' > > > > I have traced the hack to a Brazilian site which is freely available for > > download. I can let Cobalt have the address if they do not already know > > it. > > It appears that this particular exploit has been around since September 1999. > The script in question works for ProFTPd 1.2.0. But as far as I understand it > the vulnerability in question should have been fixed in ProFTPD 1.2.0rc3. > > A Cobalt with all patches in place should have proftpd-1.2.2rc1-C2, so I > wonder how you came to the conclusion that you've been hacked this way? > > I'll compile the exploit and will run it against my own machine for a > look-see, though. > > -- > > With best regards, > > Michael Stauber > SOLARSPEED.NET > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
