[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Hacked, need to verify some files
- Subject: Re: [cobalt-security] Hacked, need to verify some files
- From: Martín Fiumara <martinfiumara@xxxxxxxxxxx>
- Date: Thu, 6 Dec 2001 14:28:41 -0300
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Do a test:
Make a ps -A and see the output, if it gives you some error, the i have a
bad new: you have been rootkited.
I say that because muy raq was compromised once, and i discovered that the
ps, ls, and su binaries were change by other binaries from a rootkit... dont
remember the name right now.
----- Original Message -----
From: "Jay Nelson" <jay@xxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Thursday, December 06, 2001 1:08 AM
Subject: [cobalt-security] Hacked, need to verify some files
> I had a break in with a sniffer installed. No root kit.
> I've cleaned up but I wanted to check a few files.
> I believe my /bin/login has been spoofed but I think
> that is the only file.
>
> Can someone with a RaQ3i and all the latest updates
> verify the following items match?
>
> 1) ls -al /bin/bash /bin/login /bin/ls /bin/ps /bin/su
>
> root.root 373176 Apr 6 1999 /bin/bash
> root.wheel 212244 Apr 17 1999 /bin/login
> root.root 50148 Sep 8 1999 /bin/ls
> root.root 60460 Apr 3 1999 /bin/ps
> root.root 13208 Apr 13 1999 /bin/su
>
> 2) ls -al /usr/bin/ftp /usr/bin/passwd /usr/bin/rlogin /usr/bin/rsh
>
> root.root 62268 Mar 21 1999 /usr/bin/ftp
> root.root 10704 Apr 14 1999 /usr/bin/passwd
> root.root 10516 Apr 15 1999 /usr/bin/rlogin
> root.root 7780 Apr 15, 1999 /usr/bin/passwd
>
>
> If you could also send me an email with the md5sum
> on these same files I would appreciate it (or I can send
> it to you if you wish). I will also need to get a new copy
> of /bin/login from someone.
>
> Thanks.
>
> ---------------------------------------------------
> DuoMark International, Inc.
> 6523 Colgate Avenue, Suite 325
> Los Angeles, CA 90048-4410 / USA
> Voice: +1 323 381-0002
> FAX: +1 323 549 0172
> Email: jay@xxxxxxxxxxx
> WWW: http://www.duomark.com/
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>