[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Possible problem?
- Subject: RE: [cobalt-security] Possible problem?
- From: "Ryan McAdams" <ryan@xxxxxxxxxxx>
- Date: Mon, 23 Apr 2001 19:33:33 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
This is what I get on my RAQ4, this look ok? This RAQ is literally just
a test machine, not on the net or even on an internal network. Its on a
2 pc network
# rpm -V util-linux
..?..... /usr/bin/chfn
..?..... /usr/bin/chsh
.M?..... /usr/bin/newgrp
.M...... /usr/bin/write
-Ryan
-----Original Message-----
From: Glen Scott [mailto:glen@xxxxxxxxxxxxxxxxxxxx]
Sent: Monday, April 23, 2001 11:43 AM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Possible problem?
At 10:42 23/04/01, you wrote:
>William,
>
>The one I listed below is one I would worry about.
>
> > ..5..... /bin/login <==== this looks bad.
>
>Normally you would have M5 or MD5....../bin/login instead of ....5....
>This means its been changed. This is VERY VERY bad. Login is one of the
>first things that an intruder will change. Its usually part of a
>rootkit designed to hide their intrusions and logons. They can be
>logged on while you are and you wouldn't even see them (that's if they
>do it correctly).
I am getting this output on two Qube2's in our office- one which is not
even connected to the net. Can you confirm that this means our systems
have been compromised?
[admin@ds2 admin]$ rpm -V util-linux
Unsatisfied dependencies for util-linux-2.7-5C4: /usr/bin/perl5
..5..... /bin/login
.M5..... /usr/bin/chfn
.M5..... /usr/bin/chsh
.M5..... /usr/bin/newgrp
.M5..... /usr/bin/passwd
.M...... /usr/bin/write
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security