[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] How to locate SUID = root files?
- Subject: [cobalt-security] How to locate SUID = root files?
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Thu, 22 Mar 2001 11:48:16 +0100
- Organization: Forumworld.com
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi all,
I've got a question for the linux cracks: How do I find out which programs on
my RaQ3 are executeable by everyone and are owned by user "root"?
The reason why I ask this: Our box got rooted two weeks ago and two backdoors
had been installed. We removed them, installed the latest patches (also the
proftp fix discussed here) disabled telnet, installed SSH, upgraded Webmin
and the Admin-Interface to SSL and change the admin password once per week.
We also installed Portsentry and Logwatch to keep up to date on all server
events.
We get portscanned usually once per day and registered some abnormal server
reboots, when the server restarted itself without one of the two persons with
admin login initiating the reboot.
So we suspect that either some kind of backdoor is still there, or that a
malicious SUID = root file is left somewhere.
Any help would be appreciated.
Mit freundlichen Grüßen / Best regards
Michael Stauber