[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Possible problem?
- Subject: Re: [cobalt-security] Possible problem?
- From: Bill Irwin <bill_irwin@xxxxxxxx>
- Date: Mon, 23 Apr 2001 14:10:18 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Glen,
One thing I forgot to mention. All Mips processor products are not
susceptible to intrusions like this. Sorry for the confusion and
worries. If you have a MIPS processor (you can usually tell when you
login on telnet) then you have no need to worry.
Once again sorry for the confusion and worries.
This is also why I would recommend contacting the Support team before
taking drastic actions. You may find out it was unnecessary in the first
place.
Glen Scott wrote:
>
> At 10:42 23/04/01, you wrote:
> >William,
> >
> >The one I listed below is one I would worry about.
> >
> > > ..5..... /bin/login <==== this looks bad.
> >
> >Normally you would have M5 or MD5....../bin/login instead of ....5....
> >This means its been changed. This is VERY VERY bad. Login is one of the
> >first things that an intruder will change. Its usually part of a rootkit
> >designed to hide their intrusions and logons. They can be logged on
> >while you are and you wouldn't even see them (that's if they do it
> >correctly).
>
> I am getting this output on two Qube2's in our office- one which is not
> even connected to the net. Can you confirm that this means our systems
> have been compromised?
>
> [admin@ds2 admin]$ rpm -V util-linux
> Unsatisfied dependencies for util-linux-2.7-5C4: /usr/bin/perl5
> ..5..... /bin/login
> .M5..... /usr/bin/chfn
> .M5..... /usr/bin/chsh
> .M5..... /usr/bin/newgrp
> .M5..... /usr/bin/passwd
> .M...... /usr/bin/write
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
--
Bill Irwin
Technical Support Engineer
Sun Microsystems, Inc.