[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Possible problem?
- Subject: Re: [cobalt-security] Possible problem?
- From: Bill Irwin <bill_irwin@xxxxxxxx>
- Date: Mon, 23 Apr 2001 10:42:06 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
William,
The one I listed below is one I would worry about.
> ..5..... /bin/login <==== this looks bad.
Normally you would have M5 or MD5....../bin/login instead of ....5....
This means its been changed. This is VERY VERY bad. Login is one of the
first things that an intruder will change. Its usually part of a rootkit
designed to hide their intrusions and logons. They can be logged on
while you are and you wouldn't even see them (that's if they do it
correctly).
If you are not sure if the machine is compromised, go to our Email
support page and request assistance. Thought we are not security
auditors, we do have good experience in dealing with this issue.
"William P. N. Smith" wrote:
>
> I'm also getting 'extra' stuff on a RAQ2:
>
> > > Although it is not 100% accurate (tell this to the customer), one can be
> > > resonably sure that the
> > > server has been hacked if any of the following produces output:
> > >
> > > rpm -V procps
> > > rpm -V fileutils
> > > rpm -V net-tools
> > > rpm -V util-linux
> > > ...any questions, run these on our servers.
> > >
> > > NOTE: util-linux will complain about:
> > > S.5....T c /etc/pam.d/chfn
> > > S.5....T c /etc/pam.d/chsh
> > > S.5....T c /etc/pam.d/login
> > > .M...... /usr/bin/newgrp
> > > .M...... /usr/bin/write
> > > These are OK...they should not be different, but they DO NOT show
>
> [admin admin]$ rpm -V procps
> Unsatisfied dependencies for procps-1.2.2-2: libncurses.so.3.0
> [admin admin]$ rpm -V fileutils
> [admin admin]$ rpm -V net-tools
> [admin admin]$ rpm -V util-linux
> Unsatisfied dependencies for util-linux-2.8-11C3: libncurses.so.3.0
> ..5..... /bin/login
> S.5....T c /etc/pam.d/chfn
> S.5....T c /etc/pam.d/chsh
> S.5....T c /etc/pam.d/login
> ..5..... /usr/bin/chfn
> ..5..... /usr/bin/chsh
> .M5..... /usr/bin/newgrp
> .M...... /usr/bin/write
>
> --
> William Smith wpns@xxxxxxxxxxxxxxx N1JBJ@xxxxxxxxx
> ComputerSmiths Consulting, Inc. www.compusmiths.com
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
--
Bill Irwin
Technical Support Engineer
Sun Microsystems, Inc.