Re: [cobalt-security] owned by 187?

[Dave Worth <davew@xxxxxxxxxx>]

On Wednesday, June 6, 2001, at 08:06 AM, Kevin D wrote:

> My baseline checker reports no more modified files, and I've 
> portscanned all
> IPs on the raq, so it looks like the box is clean, which of course 
> surprises
> me.

Bear in mind that this doesn't mean much in reality... There are often 
timed backdoors that launch as either a cron job (crontab -l to check 
for these) or as an at job... File modification times can be adjusted 
using touch, and inode times can be changed with more sophisticated 
tools...

There are many IDS which keep MD5 hashes of all the files on the system 
as well as a file listing so you may want to look into one of these for 
the future... I am not familiar with your "baseline checker" which 
detected the file size change in /etc/passwd [which implies that it runs 
quite often...] but does this also show any new file creations?  If so 
check for anything at all... especially lurking tmp or scratch... 
setuids that don't seem quite right are also not entirely rare.  I don't 
know of any "rootkits" crafted specifically for cobalt (as I am 
relatively new to cobalts in general) but it seems close enough to 
redhat that the attacker may have also used one on your system, though 
that seems least likely because your "baseline checker" probably would 
have caught the change in the file sizes of some binaries.

Good luck on the forensics end of this process, it can be quite 
frustrating...

--dave worth                  [   davew@xxxxxxxxxx    ]
Perl Programmer for MIS Inc.  [ http://www.misinc.net ]