Mark Tinberg wrote: > On Fri, 15 Aug 2003, Juri Haberland wrote: > >> /sbin/init had nearly the same timestamp (Aug 12 23:17:29 2003) as the >> following log entry from the Realserver's rmerror.log file: >> >> ***12-Aug-03 23:18:12.471 rmserver(11402): Server automatically restarted >> due to fatal error condition > > From this it would seem most likely to be an exploit of the rmserver > process. Check to see if there is an unpatched SecurityFocus BID for > RealServer otherwise you were probably comprimised with an > as-yet-publicly-unknown exploit. I'd try working with Real.com and see if > they'll provide any help (well, here's to hoping 8^) I checked SecurityFocus before sending my initial mail. Let's see what Real.com has to say. > If you can find a live copy of the exploit used on the system, for example > if your system was used to attack others, that'd be very helpful. Unfortunately there was nothing else other than rootkit. Cheers, Juri --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Aug 17 2003 - 09:52:04 PDT