[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Have I been hacked?

Subject: RE: [cobalt-security] Have I been hacked?
From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
Date: Wed, 9 Jan 2002 14:24:19 -0000
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Simon Wilson wrote:
> We already run chkrootkit on a daily basis using cron (your advice I
> believe) and it is reporting nothing unusual.

...then tripwire is reporting something completely different.

> I ran a netstat on the machine, nothing unusual.

Good, although you can't trust a binary on a mchine you think has been
compromised.

At a rough guess, tripwire is complaining that either dates or permissions
have changed. Have you run something which 'hardens' the RaQ by locking down
certain binaries? Or have you recently installed a wrapped-up Cobalt system
update?

Or alternatively; have a dig through /root/.bash_history for 'chmod -R'.
Possibly someone accidentally ran it whilst sitting in / - I have, sadly,
done this myself before. That time though I totally blew the machine away :(

I'd be more worried if it was only specific files, but that fact that
everything in a bagload of dirs has been modified signifies one (or more)
of:
 a dropped bollock by an administrator
 a script error
 a (bad?) Cobalt update
 an extremely wide-ranging rootkit
 an extremely talented cracker

Graeme
-- 
Graeme Fowler
System Administrator
Host Europe Group PLC

Prev by Date: RE: [cobalt-security] Have I been hacked?
Next by Date: RE: [cobalt-security] Have I been hacked?
Previous by thread: RE: [cobalt-security] Have I been hacked?
Next by thread: [cobalt-security] sftp with disabled shell access

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index