[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] How to locate SUID = root files?
- Subject: Re: [cobalt-security] How to locate SUID = root files?
- From: "Tsukaeru.net Webmaster" <webmaster@xxxxxxxxxxxx>
- Date: Thu, 22 Mar 2001 20:36:57 +0900
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I don't have an answer but how do you recognise when you have been
port-scanned?
Regards,
Jason Frisch
----- Original Message -----
From: "Michael Stauber" <cobalt@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Thursday, March 22, 2001 7:48 PM
Subject: [cobalt-security] How to locate SUID = root files?
> Hi all,
>
> I've got a question for the linux cracks: How do I find out which programs
on
> my RaQ3 are executeable by everyone and are owned by user "root"?
>
> The reason why I ask this: Our box got rooted two weeks ago and two
backdoors
> had been installed. We removed them, installed the latest patches (also
the
> proftp fix discussed here) disabled telnet, installed SSH, upgraded Webmin
> and the Admin-Interface to SSL and change the admin password once per
week.
> We also installed Portsentry and Logwatch to keep up to date on all server
> events.
>
> We get portscanned usually once per day and registered some abnormal
server
> reboots, when the server restarted itself without one of the two persons
with
> admin login initiating the reboot.
>
> So we suspect that either some kind of backdoor is still there, or that a
> malicious SUID = root file is left somewhere.
>
> Any help would be appreciated.
>
>
> Mit freundlichen Grüßen / Best regards
>
> Michael Stauber
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>