Article 6054 at 06/07/19 20:44:11 From: dwz (at mark) usa.net Subject: [coba-e:06054] Re: vunerable

Index: [Article Count Order] [Thread]
Date:  Wed, 19 Jul 2006 07:43:59 -0400
From:  "Donald Zimmer" <dwz (at mark) usa.net>
Subject:  [coba-e:06054] Re: vunerable
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <009301c6ab28$a06c9530$3f01a8c0@DELL>
References:  <27718190-A66C-4995-A501-E50CF1F0B24E (at mark) mfc.bakkers.gr.jp> <44BD2501.7070305 (at mark) dogsbody.org> <44BDBA65.70705 (at mark) mixfans.org> <44BDD8DE.5080209 (at mark) virtbiz.com>
X-Mail-Count: 06054

I just fixed this last night. If you are running Mail2Forum that is where 
the vulnerability is. See this post for more info although the site is down 
right now (they must be fixing their own vulnerability): 
http://www.mail2forum.com/forums/viewtopic.php?t=2122



----- Original Message ----- 
From: "Chris Gebhardt - VIRTBIZ Internet" <cobaltfacts (at mark) virtbiz.com>
To: <coba-e (at mark) bluequartz.org>
Sent: Wednesday, July 19, 2006 3:01 AM
Subject: [coba-e:06052] Re: vunerable


> Dennis wrote:
>> Suddenly I get this admin messages:
>>
>> chown root:root /dev/shm/nice2k && chmod 4755 /dev/shm/nice2k && rm -rf 
>> /etc/cron.d/core && kill -USR1 3286
>>
>> chown: cannot access `/dev/shm/nice2k': No such file or directory
>>
>> it seems that someone 'broke' into my system, but how to see what 
>> happened and where ..
>> dennis
>>
>>
>>
>
> We see this on a customer system as well.  There do not seem to be other 
> effects, and nothing was left in /tmp.  It looks as much like something 
> that has been broken as something that has been broken into.
>
> Odd...
>
> -- 
> Chris Gebhardt
> VIRTBIZ Internet Services
> Hosting, Collocation, Dedicated Servers, Internet Access
> (972) 485-4125 | http://www.virtbiz.com
>
>
>