[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Possible problem?
- Subject: Re: [cobalt-security] Possible problem?
- From: Bill Irwin <bill_irwin@xxxxxxxx>
- Date: Wed, 18 Apr 2001 14:52:35 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Dan,
Have you tried some of the other things that were listed? If so, did
they produce results? The one thing to watch for is after you execute
the lsattr * /usr/bin /usr/sbin
This will produce results like
-------- /usr/bin/whereis
---i---- /usr/bin/write <===this has been changed, likely a trojan
version
-------- /usr/bin/xxd
-------- /usr/bin/ex
-------- /usr/bin/vi
-------- /usr/bin/vim
-------- /usr/bin/crontab
-------- /usr/bin/wget
-------- /usr/bin/which
-------- /usr/bin/i386-glibc20-linux-gcc
You will see alot of i's in the listing. If you see that.. you are
toast.
There is one other hack that I've seen that hides this well. It will
produce an error with rpm packages. Look for in /dev folder for
/dev/.lib its not supposed to be there and if you look inside, its the
lionworm package with t0rn rootkit.
I've also pulled up the description of ncurses patch which fixed a
vulnerability.
**Security: ncurses Update 4.0.1
There used to be an overflowable buffer in the part of the ncurses
library handling cursor movement. Attackers can force a privileged
application to use their own termcap file containing a special terminal
entry which will trigger the ncurses vulnerability, allowing them to
execute arbitrary code with the privileges of the exploited binary.
**
Judging from the error produced, its **possible** that you may have an
intrusion. Further checks would be needed before deciding upon a course
of action. If you are not sure if you've been attacked or rooted,
contact the our tech support. Even though we are not security auitors,
we can make reasonable checks to determine if in fact you've had an
intrusion.
Dan Keller wrote:
>
> I'm running a RaQ2, and I've installed all
> the updates.
>
> Should the commands behave the same
> (i.e. yield no output from these rpm commands)
> on all Cobalt machines?
>
> I'm getting the following output:
>
> # rpm -V procps
> Unsatisfied dependencies for procps-1.2.2-2: libncurses.so.3.0
> #
>
> Yeow!!! Does this mean I've been hacked???
>
> Thank you so much,
> Dan Keller
> dan@xxxxxxxxxx
> http://www.keller.com/
> +1 415 861-4500 (voice)
> +1 415 861-4593 (fax)
>
> At 12:37 PM 4/18/01 -0400, you wrote:
> >>Although it is not 100% accurate (tell this to the customer), one can be
> >>resonably sure that the
> >>server has been hacked if any of the following produces output:
> >>
> >> rpm -V procps
> >> rpm -V fileutils
> >> rpm -V net-tools
> >> rpm -V util-linux
> >> ...any questions, run these on our servers.
> >>
> >> NOTE: util-linux will complain about:
> >> S.5....T c /etc/pam.d/chfn
> >> S.5....T c /etc/pam.d/chsh
> >> S.5....T c /etc/pam.d/login
> >> .M...... /usr/bin/newgrp
> >> .M...... /usr/bin/write
> >> These are OK...they should not be different, but they DO NOT show that
> >>you've been hacked.
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
--
Bill Irwin
Technical Support Engineer
Sun Microsystems, Inc.