[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] A hacked box - an example

Subject: RE: [cobalt-security] A hacked box - an example
From: "MikeM" <mike_miller@xxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Apr 2001 09:03:31 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> Just want to show you a box that has been hacked into and what it looks
> like. [snip]
>
> A customer believed he was hacked and asked me to verify. Here's the
> results:
> [snip]
>


I ran those commands on my RaQ3, and here's what I got:

[admin@config /home]$ rpm -V procps
[admin@config /home]$ rpm -V fileutils
[admin@config /home]$ rpm -V net-tools
[admin@config /home]$ rpm -V util-linux
S.5....T c /etc/pam.d/chfn
S.5....T c /etc/pam.d/chsh
S.5....T c /etc/pam.d/login
..?.....   /usr/bin/chfn
..?.....   /usr/bin/chsh
.M?.....   /usr/bin/newgrp
.M......   /usr/bin/write
[admin@config /home]$ lsattr /bin/login
-------- /bin/login
[admin@config /home]$ ls /bin/login -l
-rwsr-xr-x   1 root     root        20164 Apr 17  1999 /bin/login



I'm especially curious about login, the MD5 and size are different, yet the
lsattr shows nothing.

Thanks.

Should I be concerned?  What does a clean box look like?

Follow-Ups:
- RE: [cobalt-security] A hacked box - an example
  - From: HubNut Limited

References:
- [cobalt-security] A hacked box - an example
  - From: Bill Irwin

Prev by Date: [cobalt-security] OT: Cobalt and Spam mail
Next by Date: Re: [cobalt-security] OT: Cobalt and Spam mail
Previous by thread: Re: [cobalt-security] A hacked box - an example
Next by thread: RE: [cobalt-security] A hacked box - an example

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index