[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] owned by 187?
- Subject: Re: [cobalt-security] owned by 187?
- From: Dave Worth <davew@xxxxxxxxxx>
- Date: Wed, 6 Jun 2001 09:44:18 -0600
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Wednesday, June 6, 2001, at 08:06 AM, Kevin D wrote:
My baseline checker reports no more modified files, and I've
portscanned all
IPs on the raq, so it looks like the box is clean, which of course
surprises
me.
Bear in mind that this doesn't mean much in reality... There are often
timed backdoors that launch as either a cron job (crontab -l to check
for these) or as an at job... File modification times can be adjusted
using touch, and inode times can be changed with more sophisticated
tools...
There are many IDS which keep MD5 hashes of all the files on the system
as well as a file listing so you may want to look into one of these for
the future... I am not familiar with your "baseline checker" which
detected the file size change in /etc/passwd [which implies that it runs
quite often...] but does this also show any new file creations? If so
check for anything at all... especially lurking tmp or scratch...
setuids that don't seem quite right are also not entirely rare. I don't
know of any "rootkits" crafted specifically for cobalt (as I am
relatively new to cobalts in general) but it seems close enough to
redhat that the attacker may have also used one on your system, though
that seems least likely because your "baseline checker" probably would
have caught the change in the file sizes of some binaries.
Good luck on the forensics end of this process, it can be quite
frustrating...
--dave worth [ davew@xxxxxxxxxx ]
Perl Programmer for MIS Inc. [ http://www.misinc.net ]