[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] [cobalt-users] ssh on port 44658???
- Subject: Re: [cobalt-security] [cobalt-users] ssh on port 44658???
- From: Bill Irwin <bill_irwin@xxxxxxxx>
- Date: Tue, 17 Apr 2001 17:03:48 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Loryan,
Here's our little test to check to see if you have been "rooted"
Although it is not 100% accurate (tell this to the customer), one can be
resonably sure that the
server has been hacked if any of the following produces output:
rpm -V procps
rpm -V fileutils
rpm -V net-tools
rpm -V util-linux
...any questions, run these on our servers.
NOTE: util-linux will complain about:
S.5....T c /etc/pam.d/chfn
S.5....T c /etc/pam.d/chsh
S.5....T c /etc/pam.d/login
.M...... /usr/bin/newgrp
.M...... /usr/bin/write
These are OK...they should not be different, but they DO NOT show that
you've been hacked.
Also, grep /var/log/messages for the string nslookupComplain()
That is the bind vulnrability itself
Another item to look for is file attributes.
look in the /usr/bin; /usr/sbin dirs.
" lsattr * "
If you get "----i--- " for many files, he's been had. This causes updates
to fail with
permissions errors in the cobalt log files. ( /var/cobalt/adm.log on an
R4 )
" echo $TERM " will give back dumb...or something else other than xterm
Loryan Strant wrote:
> Hi,
>
> While doing a routine portscan of my RaQ4, I noticed that port 44658 is
> running SSH 1.5-1.2.27.
>
> I know for a fact that I didn't set that up, as I'm running OpenSSH 2.1.1 on
> a completely different port.
>
> Does anyone have any ideas as to what this is?
>
> Thanks,
>
> Loryan
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
--
Bill Irwin
Technical Support Engineer
Sun Microsystems, Inc.