[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] [RaQ3i] interesting hack symptoms
- Subject: [cobalt-security] [RaQ3i] interesting hack symptoms
- From: Theodore Jones <theoj@xxxxxxxxxxxxx>
- Date: Fri, 03 Nov 2000 16:22:40 -0800
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Gossi,
> > Thanks for the confirm. I think I'll assume it's probably a false report on
> > the bindshell backdoor due to some special cobalt configuration, unless anyone
> > can offer up suggestions how to debug a bindshell trojan. With today's species
> > of Loadable Kernal Module exploits, this would probably be the least of my
> > worries if I were truely compromised.
>
> Do you have notes of the md5sums of any of your system files?
No. Although in my readings on all of this security stuff recently I did run
into suggestions on doing that. Unfortunately it's really important to do the MD5
checksums when it's nearly out of the box. Right now I could do MD5 checksums, but
if I'm allready compromised, this would do little good I'm pretty sure... good
thinking however.
> I'd strongly recommend downloading and installing the Cobalt RPMS for
> 'shadow' and the netutils. This will restore things like login and
> netstat.
For "shadow", as in shadowed passwords and such? Do you have a link for this by
chance?
> Don't trust anything on your system now, as it might be comprised to hide
> stuff :(
Yup, I think I may have lept to conclusions, but it's best to be paranoid when the
system just crashes of a sudden and some files changed ownership...
Thanks for the input!,
~ Theo