Although it is not 100% accurate (tell this to the customer), one can be resonably sure that the server has been hacked if any of the following produces output: rpm -V procps rpm -V fileutils rpm -V net-tools rpm -V util-linux ...any questions, run these on our servers. NOTE: util-linux will complain about: S.5....T c /etc/pam.d/chfn S.5....T c /etc/pam.d/chsh S.5....T c /etc/pam.d/login .M...... /usr/bin/newgrp .M...... /usr/bin/writeThese are OK...they should not be different, but they DO NOT show thatyou've been hacked.
OK, I tried this, and the last one, rpm -V util-linux gives the following:
S.5....T c /etc/pam.d/chfn S.5....T c /etc/pam.d/chsh S.5....T c /etc/pam.d/login ..?..... /usr/bin/chfn ..?..... /usr/bin/chsh .M?..... /usr/bin/newgrp .M...... /usr/bin/writeAre the /usr/bin/chfn and /usr/bin/chsh lines a problem? I've found a few references to bugs in these programs from a few years ago.
-Scott -------------------------------- Scott Genevish Training Systems Project Manager Kinko's, Inc (805) 477-5307 --------------------------------