[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Possible problem?
- Subject: Re: [cobalt-security] Possible problem?
- From: "William P. N. Smith" <wpns@xxxxxxxxxxxxxxx>
- Date: Mon, 23 Apr 2001 13:34:22 -0400
- Organization: ComputerSmiths Consulting, Inc.
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Is it possible that installing the (yes, I know, unsupported)
RaQ2-POP-before-SMTP-1.2-4.pkg culd cause this? If not, how can I fix it?
Thanks!
Bill Irwin wrote:
>
> William,
>
> The one I listed below is one I would worry about.
>
> > ..5..... /bin/login <==== this looks bad.
>
> Normally you would have M5 or MD5....../bin/login instead of ....5....
> This means its been changed. This is VERY VERY bad. Login is one of the
> first things that an intruder will change. Its usually part of a rootkit
> designed to hide their intrusions and logons. They can be logged on
> while you are and you wouldn't even see them (that's if they do it
> correctly).
>
> If you are not sure if the machine is compromised, go to our Email
> support page and request assistance. Thought we are not security
> auditors, we do have good experience in dealing with this issue.
>
> "William P. N. Smith" wrote:
> >
> > I'm also getting 'extra' stuff on a RAQ2:
> >
> > > > Although it is not 100% accurate (tell this to the customer), one can be
> > > > resonably sure that the
> > > > server has been hacked if any of the following produces output:
> > > >
> > > > rpm -V procps
> > > > rpm -V fileutils
> > > > rpm -V net-tools
> > > > rpm -V util-linux
> > > > ...any questions, run these on our servers.
> > > >
> > > > NOTE: util-linux will complain about:
> > > > S.5....T c /etc/pam.d/chfn
> > > > S.5....T c /etc/pam.d/chsh
> > > > S.5....T c /etc/pam.d/login
> > > > .M...... /usr/bin/newgrp
> > > > .M...... /usr/bin/write
> > > > These are OK...they should not be different, but they DO NOT show
> >
> > [admin admin]$ rpm -V procps
> > Unsatisfied dependencies for procps-1.2.2-2: libncurses.so.3.0
> > [admin admin]$ rpm -V fileutils
> > [admin admin]$ rpm -V net-tools
> > [admin admin]$ rpm -V util-linux
> > Unsatisfied dependencies for util-linux-2.8-11C3: libncurses.so.3.0
> > ..5..... /bin/login
> > S.5....T c /etc/pam.d/chfn
> > S.5....T c /etc/pam.d/chsh
> > S.5....T c /etc/pam.d/login
> > ..5..... /usr/bin/chfn
> > ..5..... /usr/bin/chsh
> > .M5..... /usr/bin/newgrp
> > .M...... /usr/bin/write
> >
> > --
> > William Smith wpns@xxxxxxxxxxxxxxx N1JBJ@xxxxxxxxx
> > ComputerSmiths Consulting, Inc. www.compusmiths.com
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
>
> --
> Bill Irwin
> Technical Support Engineer
> Sun Microsystems, Inc.
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
--
William Smith wpns@xxxxxxxxxxxxxxx N1JBJ@xxxxxxxxx
ComputerSmiths Consulting, Inc. www.compusmiths.com