On Tuesday 26 February 2008 07:55, Michael Christie wrote: > Hi there bill, > > Here is a copy of the cron log, the cron was running every 2 minuets , > the file was chown www:www , i have had a look in my groups and > passwords it looks like there are no new users or root users been made > there. I removed the cron and also removed the file y2kupdate, Google > has not much about the file or what it dose , i just know i have been > hacked. if you have any idea what this hack is and how to make sure it > is cleaned off please advise > > Hope this helps
First of all you can prevent www running a cron again, how depends on your system, have a look at man crontab for further details, possibly /etc/cron.allow or /etc/cron.deny Next you need to look at the permissions of directories under vegadns, what is .system? Not part of a regular vegadns install. You can protect your vegadns with .htaccess and you should certainly change all the passwords. Please tell us more, is this a 'real' server or a virtual server? > > > Feb 26 13:01:00 nemo /usr/sbin/cron[98198]: (www) CMD > (/usr/local/www/data-dist/vegadns/.system/samseng/y2kupdate >/dev/null > 2>&1) > > Bill Shupp wrote: > > On Feb 25, 2008, at 3:03 AM, Michael Christie wrote: > >> Hi all just letting you all know that i had vega dns version 0.9.9.1 > >> hacked on me. the attacker installed a file in the /src dir and some > >> how set up a cron to run the script it was some kind of spam email hack. > >> Now i am back to hand coding the data file until i can work out how > >> to lock it down more. > > > > Micheal, > > > > Please provide as many details as you can. > > > > Thanks, > > > > Bill -- ----------------- Bob Hutchinson Midwales dot com -----------------