[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Possible problem?

Subject: Re: [cobalt-security] Possible problem?
From: Frank Smith <fsmith@xxxxxxxxxxx>
Date: Wed, 25 Apr 2001 01:56:10 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

While a MIPS box may not be subject to whatever the 'crack-of-the-day'
was that started this thread (I don't remember what it was), if Sun
support thinks MIPS processors are 'not susceptible to intrusions' then
I would recommend NOT contacting Sun support with security questions.
  There are certainly quite a few MIPS rootkits etc. floating around on
the net and people with MIPS boxes do get cracked.  While the script
kiddies do seem to prefer the most common OS/architecture combinations,
that in no way means you won't be cracked just because your server is
MIPS or Alpha or i8080 based.
   Maybe it will only be twice a year that you get scanned by someone
with a script that knows what to do with a MIPS box instead of the twice
(or more) time a day that the Intel kiddies come by, but as many on this
list can attest to, it only takes one to ruin your day.

Frank

--On Monday, April 23, 2001 1:10 PM -0500 Bill Irwin <bill_irwin@xxxxxxxx> wrote:


Glen,

One thing I forgot to mention. All Mips processor products are not
susceptible to intrusions like this. Sorry for the confusion and
worries. If you have a MIPS processor (you can usually tell when you
login on telnet) then you have no need to worry.

Once again sorry for the confusion and worries.

This is also why I would recommend contacting the Support team before
taking drastic actions. You may find out it was unnecessary in the first
place.

Glen Scott wrote:


At 10:42 23/04/01, you wrote:
> William,
>
> The one I listed below is one I would worry about.
>
> > ..5.....   /bin/login  <==== this looks bad.
>
> Normally you would have M5 or MD5....../bin/login instead of ....5....
> This means its been changed. This is VERY VERY bad. Login is one of the
> first things that an intruder will change. Its usually part of a rootkit
> designed to hide their intrusions and logons. They can be logged on
> while you are and you wouldn't even see them (that's if they do it
> correctly).

I am getting this output on two Qube2's in our office- one which is not
even connected to the net.  Can you confirm that this means our systems
have been compromised?

[admin@ds2 admin]$ rpm -V util-linux
Unsatisfied dependencies for util-linux-2.7-5C4: /usr/bin/perl5
..5.....   /bin/login
.M5.....   /usr/bin/chfn
.M5.....   /usr/bin/chsh
.M5.....   /usr/bin/newgrp
.M5.....   /usr/bin/passwd
.M......   /usr/bin/write

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security


--
Bill Irwin
Technical Support Engineer
Sun Microsystems, Inc.
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security




--
Frank Smith                                          fsmith@xxxxxxxxxxx
Systems Administrator                               Voice: 512-374-4673
Hoover's Online                                       Fax: 512-374-4501

Follow-Ups:
- Re: [cobalt-security] Possible problem?
  - From: Bill Irwin

References:
- Re: [cobalt-security] Possible problem?
  - From: Bill Irwin

Prev by Date: [cobalt-security] RaQ3-End Of Life Updates (fwd)
Next by Date: RE: [cobalt-security] Possible problem?
Previous by thread: Re: [cobalt-security] Possible problem?
Next by thread: Re: [cobalt-security] Possible problem?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index