Re: [cobalt-security] [cobalt-users] ssh on port 44658???

[Bill Irwin <bill_irwin@xxxxxxxx>]

Loryan,

Here's our little test to check to see if you have been "rooted"

Although it is not 100% accurate (tell this to the customer), one can be
resonably sure that the
server has been hacked if any of the following produces output:

      rpm -V procps
      rpm -V fileutils
      rpm -V net-tools
      rpm -V util-linux
      ...any questions, run these on our servers.

      NOTE: util-linux will complain about:
      S.5....T c /etc/pam.d/chfn
      S.5....T c /etc/pam.d/chsh
      S.5....T c /etc/pam.d/login
      .M...... /usr/bin/newgrp
      .M...... /usr/bin/write
      These are OK...they should not be different, but they DO NOT show that
you've been hacked.

      Also, grep /var/log/messages for the string nslookupComplain()

      That is the bind vulnrability itself

      Another item to look for is file attributes.
      look in the /usr/bin; /usr/sbin dirs.
      " lsattr * "
      If you get "----i--- " for many files, he's been had. This causes updates
to fail with
       permissions errors in the cobalt log files. ( /var/cobalt/adm.log on an
R4 )

      " echo $TERM " will give back dumb...or something else other than xterm


Loryan Strant wrote:

> Hi,
>
> While doing a routine portscan of my RaQ4, I noticed that port 44658 is
> running SSH 1.5-1.2.27.
>
> I know for a fact that I didn't set that up, as I'm running OpenSSH 2.1.1 on
> a completely different port.
>
> Does anyone have any ideas as to what this is?
>
> Thanks,
>
> Loryan
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

--
Bill Irwin
Technical Support Engineer
Sun Microsystems, Inc.