[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Possible problem?
- Subject: Re: [cobalt-security] Possible problem?
- From: Bill Irwin <bill_irwin@xxxxxxxx>
- Date: Wed, 25 Apr 2001 08:20:27 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Frank,
IO never meant to imply they are immune, just not targeted as much as
you pointed out. I have yet to see a MIPS machine that has been
intruded. If anyone comes across one, let me know as I'd be curious to
see what kind of evidence markers to look for. After all I'm still
learning =)
The posting I made with regards to the RPMS check are for frame of
reference that we go by. You should double-check your evidence or have
someone else verify before you go through the costly and time-consuming
excercise of restoring your server.
Frank Smith wrote:
>
> While a MIPS box may not be subject to whatever the 'crack-of-the-day'
> was that started this thread (I don't remember what it was), if Sun
> support thinks MIPS processors are 'not susceptible to intrusions' then
> I would recommend NOT contacting Sun support with security questions.
> There are certainly quite a few MIPS rootkits etc. floating around on
> the net and people with MIPS boxes do get cracked. While the script
> kiddies do seem to prefer the most common OS/architecture combinations,
> that in no way means you won't be cracked just because your server is
> MIPS or Alpha or i8080 based.
> Maybe it will only be twice a year that you get scanned by someone
> with a script that knows what to do with a MIPS box instead of the twice
> (or more) time a day that the Intel kiddies come by, but as many on this
> list can attest to, it only takes one to ruin your day.
>
> Frank
>
> --On Monday, April 23, 2001 1:10 PM -0500 Bill Irwin <bill_irwin@xxxxxxxx> wrote:
>
> >
> > Glen,
> >
> > One thing I forgot to mention. All Mips processor products are not
> > susceptible to intrusions like this. Sorry for the confusion and
> > worries. If you have a MIPS processor (you can usually tell when you
> > login on telnet) then you have no need to worry.
> >
> > Once again sorry for the confusion and worries.
> >
> > This is also why I would recommend contacting the Support team before
> > taking drastic actions. You may find out it was unnecessary in the first
> > place.
> >
> > Glen Scott wrote:
> >>
> >> At 10:42 23/04/01, you wrote:
> >> > William,
> >> >
> >> > The one I listed below is one I would worry about.
> >> >
> >> > > ..5..... /bin/login <==== this looks bad.
> >> >
> >> > Normally you would have M5 or MD5....../bin/login instead of ....5....
> >> > This means its been changed. This is VERY VERY bad. Login is one of the
> >> > first things that an intruder will change. Its usually part of a rootkit
> >> > designed to hide their intrusions and logons. They can be logged on
> >> > while you are and you wouldn't even see them (that's if they do it
> >> > correctly).
> >>
> >> I am getting this output on two Qube2's in our office- one which is not
> >> even connected to the net. Can you confirm that this means our systems
> >> have been compromised?
> >>
> >> [admin@ds2 admin]$ rpm -V util-linux
> >> Unsatisfied dependencies for util-linux-2.7-5C4: /usr/bin/perl5
> >> ..5..... /bin/login
> >> .M5..... /usr/bin/chfn
> >> .M5..... /usr/bin/chsh
> >> .M5..... /usr/bin/newgrp
> >> .M5..... /usr/bin/passwd
> >> .M...... /usr/bin/write
> >>
> >> _______________________________________________
--
Bill Irwin
Technical Support Engineer
Sun Microsystems, Inc.