Am I cracking by someone?

Am I cracking by someone?

Post by james wood » Fri, 15 Dec 2000 15:41:48



Hi:

I met a strange thing.  I'm using a Ultra30 with Solaris2.6 as my
workstation.
I have Solaris Document Server installed on this station , and I can
access
document by browser at localhost:8888

Yesterday when I work on the box, suddently it becomes impossible to
access any site from the netscape, including localhost:8888 and
localhost:80(apache).

I check the system with 'top', it shows that the program dwhttp
(document server)
use up 91% CPU. I remove the network cable , but the percentage is still

very large , in deed it decreased very slowly to 81%.

It's until I went to localhost:8888 and restarted the document server
that it came
back to itself.

I want to know wether I was cracked by anbody and how I can fix this
problem?

James Shen

 
 
 

Am I cracking by someone?

Post by Dr. David Kirkb » Fri, 15 Dec 2000 19:57:11



> I want to know wether I was cracked by anbody and how I can fix this
> problem?

If you think you might have been hacked, take a look at
 http://sunsolve.sun.co.uk/pub-cgi/show.pl?target=content/content7
You enter the md5 checksums of your binaries and the Server on Sun's site
indicates if they are Sun original or not. Of course, files like
/etc/password need checking manually.

--
Dr. David Kirkby Ph.D,
Senior Research Fellow,
Department of Medical Physics, University College London,
11-20 Capper St, London, WC1E 6JA.
Tel: 020 7679 6406       Fax: 020 7679 6269

Amateur radio callsign: G8WRB

 
 
 

Am I cracking by someone?

Post by Colin McKinnon - No Spam pleas » Thu, 21 Dec 2000 19:37:33



Quote:> Yesterday when I work on the box, suddently it becomes impossible to
> access any site from the netscape, including localhost:8888 and
> localhost:80(apache).

> I check the system with 'top', it shows that the program dwhttp
> (document server)
> use up 91% CPU. I remove the network cable , but the percentage is still
<snip>
> I want to know wether I was cracked by anbody and how I can fix this
> problem?

Odd behaviour is not enough to base a proper diagnosis on. Any number of
things (mostly software bugs) can cause this to happen. To determine if your
machine may have beencompromised, you should be examining the logs on your
machine and that of your firewall / router in some detail.

However, since crackers are becoming more sophisticated at covering their
trails, any sort of forensics is becoming less reliable. Regardless, after
your system has been hacked you cannot be assured of its integrity unless
you have taken proper security measures BEFORE THE ATTACK TOOK PLACE.

In order to be able to recover from a hack, you need to:

1) take regular backups
2) run an integrity / IDS system such as L5 or tripwire

Its also a good idea to take the steps to minimise your exposure:
1) check for security alerts for your OS and apps regularly
2) ensure that you have a properly configured firewall in place
3) test the firewall every time you change the config.

HTH

Colin