[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Have I been hacked?
- Subject: RE: [cobalt-security] Have I been hacked?
- From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
- Date: Wed, 9 Jan 2002 14:24:19 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Simon Wilson wrote:
> We already run chkrootkit on a daily basis using cron (your advice I
> believe) and it is reporting nothing unusual.
...then tripwire is reporting something completely different.
> I ran a netstat on the machine, nothing unusual.
Good, although you can't trust a binary on a mchine you think has been
compromised.
At a rough guess, tripwire is complaining that either dates or permissions
have changed. Have you run something which 'hardens' the RaQ by locking down
certain binaries? Or have you recently installed a wrapped-up Cobalt system
update?
Or alternatively; have a dig through /root/.bash_history for 'chmod -R'.
Possibly someone accidentally ran it whilst sitting in / - I have, sadly,
done this myself before. That time though I totally blew the machine away :(
I'd be more worried if it was only specific files, but that fact that
everything in a bagload of dirs has been modified signifies one (or more)
of:
a dropped bollock by an administrator
a script error
a (bad?) Cobalt update
an extremely wide-ranging rootkit
an extremely talented cracker
Graeme
--
Graeme Fowler
System Administrator
Host Europe Group PLC