[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: raq3 no admin interface
- Subject: [cobalt-security] Re: raq3 no admin interface
- From: David Buxton <david.buxton@xxxxxxxxxxxx>
- Date: Fri, 29 Jun 2001 16:10:02 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
on 28/6/01 9:23 pm, Bill Irwin <bill_irwin@xxxxxxxx> wrote:
> Although it is not 100% accurate, one can be reasonably sure that the
> server has been hacked if any of the following produces output:
> NOTE: util-linux will complain about:
> S.5....T c /etc/pam.d/chfn
> S.5....T c /etc/pam.d/chsh
> S.5....T c /etc/pam.d/login
> .M...... /usr/bin/newgrp
> .M...... /usr/bin/write
> These are OK...they should not be different, but they DO NOT show
> that you have been hacked.
Hello Bill,
Although your other commands outputted nothing on my RaQ3, rpm -V util-linux
added
..?..... /usr/bin/chfn
..?..... /usr/bin/chsh
to what you mentioned as normal above. Running "ps ax" shows nothing unusual
listening on any port. "ls -l" gives this for each file...
-rws--x--x 1 root root 13800 Apr 17 1999 /usr/bin/chsh
-rws--x--x 1 root root 14088 Apr 17 1999 /usr/bin/chfn
How concerned should I be? This RaQ has been behaving very well for a long
time now (especially after replacing ChiliASP with PHP4). Haven't yet
applied the very latest patch out last week, but otherwise it is up-to-date.
Thanks,
David B.
--
David Buxton - planetrapido.com
Email david.buxton@xxxxxxxxxxxx 14 - 16 Great Pulteney St.
Tel 020-7440-5760 London, W1F 9ND
Mobile 07967-484643 United Kingdom