On Tuesday 26 February 2008 10:05, Michael Christie wrote: > This is a real server,
That's good! Which OS? > > Michael > > Bob Hutchinson wrote: > > On Tuesday 26 February 2008 07:55, Michael Christie wrote: > >> Hi there bill, > >> > >> Here is a copy of the cron log, the cron was running every 2 minuets , > >> the file was chown www:www , i have had a look in my groups and > >> passwords it looks like there are no new users or root users been made > >> there. I removed the cron and also removed the file y2kupdate, Google > >> has not much about the file or what it dose , i just know i have been > >> hacked. if you have any idea what this hack is and how to make sure it > >> is cleaned off please advise > >> > >> Hope this helps > > > > First of all you can prevent www running a cron again, how depends on > > your system, have a look at > > man crontab > > for further details, possibly /etc/cron.allow or /etc/cron.deny > > > > Next you need to look at the permissions of directories under vegadns, > > what is .system? Not part of a regular vegadns install. > > > > You can protect your vegadns with .htaccess and you should certainly > > change all the passwords. > > > > Please tell us more, is this a 'real' server or a virtual server? > > > >> Feb 26 13:01:00 nemo /usr/sbin/cron[98198]: (www) CMD > >> (/usr/local/www/data-dist/vegadns/.system/samseng/y2kupdate >/dev/null > >> 2>&1) > >> > >> Bill Shupp wrote: > >>> On Feb 25, 2008, at 3:03 AM, Michael Christie wrote: > >>>> Hi all just letting you all know that i had vega dns version 0.9.9.1 > >>>> hacked on me. the attacker installed a file in the /src dir and some > >>>> how set up a cron to run the script it was some kind of spam email > >>>> hack. Now i am back to hand coding the data file until i can work out > >>>> how to lock it down more. > >>> > >>> Micheal, > >>> > >>> Please provide as many details as you can. > >>> > >>> Thanks, > >>> > >>> Bill -- ----------------- Bob Hutchinson Midwales dot com -----------------