[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Hacked, need to verify some files
- Subject: Re: [cobalt-security] Hacked, need to verify some files
- From: Gerald Waugh <gerald@xxxxxxxxx>
- Date: Thu, 6 Dec 2001 00:03:51 -0500
- Organization: Front Street Networks LLC
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Wednesday 05 December 2001 23:08, you wrote:
> I had a break in with a sniffer installed. No root kit.
> I've cleaned up but I wanted to check a few files.
> I believe my /bin/login has been spoofed but I think
> that is the only file.
>
> Can someone with a RaQ3i and all the latest updates
> verify the following items match?
>
> 1) ls -al /bin/bash /bin/login /bin/ls /bin/ps /bin/su
>
> root.root 373176 Apr 6 1999 /bin/bash
1936633e92d70e29147fab0658faa1ac /bin/bash
> root.wheel 212244 Apr 17 1999 /bin/login
e400921eb6a2c84822c5d7de5b4f3057 /bin/login
> root.root 50148 Sep 8 1999 /bin/ls
f482ae701e46005a358a01c139f1ae74 /bin/ls
> root.root 60460 Apr 3 1999 /bin/ps
6d16efee5baecce7a6db7d1e1a088813 /bin/ps
> root.root 13208 Apr 13 1999 /bin/su
231be390b7abe8c8ea5e3d9ee0dc8868 /bin/su
#1 is OK
> 2) ls -al /usr/bin/ftp /usr/bin/passwd /usr/bin/rlogin /usr/bin/rsh
>
> root.root 62268 Mar 21 1999 /usr/bin/ftp
48b7845a675be49f6c3a463baffe08ec /usr/bin/ftp
> root.root 10704 Apr 14 1999 md5sum /usr/bin/passwd
b0ea7b138e3fab9a4d116a3d05685147 /usr/bin/passwd
> root.root 10516 Apr 15 1999 /usr/bin/rlogin
cc723a722bdddb6779c5e5e150288c6e /usr/bin/rlogin
> root.root 7780 Apr 15, 1999 /usr/bin/passwd
>
#2 is OK
> If you could also send me an email with the md5sum
> on these same files I would appreciate it (or I can send
> it to you if you wish). I will also need to get a new copy
> of /bin/login from someone.
>
Gerald