[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] A hacked box - an example
- Subject: RE: [cobalt-security] A hacked box - an example
- From: "MikeM" <mike_miller@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 24 Apr 2001 09:03:31 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> Just want to show you a box that has been hacked into and what it looks
> like. [snip]
>
> A customer believed he was hacked and asked me to verify. Here's the
> results:
> [snip]
>
I ran those commands on my RaQ3, and here's what I got:
[admin@config /home]$ rpm -V procps
[admin@config /home]$ rpm -V fileutils
[admin@config /home]$ rpm -V net-tools
[admin@config /home]$ rpm -V util-linux
S.5....T c /etc/pam.d/chfn
S.5....T c /etc/pam.d/chsh
S.5....T c /etc/pam.d/login
..?..... /usr/bin/chfn
..?..... /usr/bin/chsh
.M?..... /usr/bin/newgrp
.M...... /usr/bin/write
[admin@config /home]$ lsattr /bin/login
-------- /bin/login
[admin@config /home]$ ls /bin/login -l
-rwsr-xr-x 1 root root 20164 Apr 17 1999 /bin/login
I'm especially curious about login, the MD5 and size are different, yet the
lsattr shows nothing.
Thanks.
Should I be concerned? What does a clean box look like?