[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Have I been hacked?
- Subject: [cobalt-security] Have I been hacked?
- From: "Simon Wilson" <simon@xxxxxxxxxxxxx>
- Date: Mon, 7 Jan 2002 11:42:37 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I have just had my daily tripwire report and it is horrible... loads of
files have been modified. I have included the summary here below.
We haven't touched the box ourselves so am I in trouble?
Also the logcheck directly after this reports a restart could this be what
caused the changes?
Please help as I am very concerned.
Logcheck snip..
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Jan 5 04:04:14 ns1 syslogd 1.3-3: restart.
Jan 5 04:05:03 ns1 syslogd 1.3-3: restart.
Tripwire snip..
Section: Unix File System
----------------------------------------------------------------------------
---
Rule Name Severity Level Added Removed
Modified
--------- -------------- ----- ------- ------
--
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Tripwire Data Files 100 0 0 0
Critical devices 100 0 0 0
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
* Libraries 66 0 0 1
* File System and Disk Administraton Programs
100 0 0 34
* Kernel Administration Programs 100 0 0 9
* Networking Programs 100 0 0 14
* System Administration Programs 100 0 0 16
* Hardware and Device Control Programs
100 0 0 3
* System Information Programs 100 0 0 2
* Application Information Programs
100 0 0 2
Critical Utility Sym-Links 100 0 0 0
* Critical configuration files 100 0 1 4
OS executables and libraries 100 0 0 0
System boot changes 100 0 0 0
* Security Control 100 0 0 7
Login Scripts 100 0 0 0
* Operating System Utilities 100 0 0 41
Shell Binaries 100 0 0 0
* Critical system boot files 100 0 0 5
(/boot)
* Root config files 100 0 0 5
Total objects scanned: 7233
Total violations found: 144
_________________________________________________________________
Simon Wilson