Please redirect me if this is not the appropriate place for this post.
I have several Debian/Woody/2.4.19 webserver/firewalls at various locations
that seem to have been hacked or victum of a worm or virus. It is hard to
articulate exactly the symptoms since it quickly brings the system down, but
here is what I know so far:
1) There is no more output to /var/log/syslog. The contents of the file is
'0'.
2) 'last' works, but with no unexpected ftp or telnet logins.
3) Windows systems on the inside seem to have been infected with the
W23.HLLW.ULTIMAX worm that propagates through Windows networking. Samba was
indeed running on the servers.
4) If I telnet into the server and 'ls', I get:
ls: uncrecognized prefix: do
ls: unparsable value for LS_COLORS environment variable
But I can su to root.
5) On some systems I rebooted and got the console errors "can't open
/etc/console/boottime.kmap.gz", and it can't seem to mount the the filesystem
and complete the boot.
The first machine went down last Friday in San Antonio TX last Friday. Then
within a few hours two more went down that was on the same DSL providers's
network. Today I experienced the problem on a server in Manchester NH.
Can anyone offer any advice or insight?
-- Joe Briggs Briggs Media Systems 105 Burnsen Ave. Manchester NH 01304 USA TEL/FAX 603-232-3115 MOBILE 603-493-2386 www.briggsmedia.com - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Apr 23 2003 - 22:00:21 EST