[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Hacked, need to verify some files

Subject: Re: [cobalt-security] Hacked, need to verify some files
From: Martín Fiumara <martinfiumara@xxxxxxxxxxx>
Date: Thu, 6 Dec 2001 14:28:41 -0300
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Do a test:

Make a ps -A and see the output, if it gives you some error, the i have a
bad new: you have been rootkited.
I say that because muy raq was compromised once, and i discovered that the
ps, ls, and su binaries were change by other binaries from a rootkit... dont
remember the name right now.

----- Original Message -----
From: "Jay Nelson" <jay@xxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Thursday, December 06, 2001 1:08 AM
Subject: [cobalt-security] Hacked, need to verify some files


> I had a break in with a sniffer installed.  No root kit.
> I've cleaned up but I wanted to check a few files.
> I believe my /bin/login has been spoofed but I think
> that is the only file.
>
> Can someone with a RaQ3i and all the latest updates
> verify the following items match?
>
> 1)   ls -al /bin/bash /bin/login /bin/ls /bin/ps /bin/su
>
> root.root    373176  Apr  6 1999   /bin/bash
> root.wheel 212244  Apr 17 1999  /bin/login
> root.root      50148  Sep 8 1999   /bin/ls
> root.root      60460  Apr 3  1999  /bin/ps
> root.root      13208  Apr 13 1999  /bin/su
>
> 2)   ls -al /usr/bin/ftp /usr/bin/passwd /usr/bin/rlogin /usr/bin/rsh
>
> root.root      62268  Mar 21 1999  /usr/bin/ftp
> root.root      10704  Apr 14  1999  /usr/bin/passwd
> root.root      10516  Apr 15  1999  /usr/bin/rlogin
> root.root        7780  Apr 15, 1999  /usr/bin/passwd
>
>
> If you could also send me an email with the md5sum
> on these same files I would appreciate it (or I can send
> it to you if you wish).  I will also need to get a new copy
> of /bin/login from someone.
>
> Thanks.
>
> ---------------------------------------------------
> DuoMark International, Inc.
> 6523 Colgate Avenue, Suite 325
> Los Angeles, CA  90048-4410 / USA
> Voice: +1 323 381-0002
> FAX: +1 323 549 0172
> Email: jay@xxxxxxxxxxx
> WWW: http://www.duomark.com/
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

References:
- [cobalt-security] Hacked, need to verify some files
  - From: Jay Nelson

Prev by Date: [cobalt-security] SSL & IMAP
Next by Date: Re: [cobalt-security] SSL & IMAP
Previous by thread: Re: [cobalt-security] Hacked, need to verify some files
Next by thread: RE: [cobalt-security] raq3 ns kernel: VM: do_try_to_free_pages fa iled error messages

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index