[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: [cobalt-security] amd root?

Subject: Re: Re[2]: [cobalt-security] amd root?
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Thu, 7 Feb 2002 22:13:29 +0100
Organization: Stauber Multimedia Design
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Eugene,

> If you are using vi(m), save with ":w!" command, with exclamation mark.
> Vi tries to be "friendly" and stops you if it *thinks* that you cannot
> write to the file rather than when attempt to write in fact fails.

I used vi, pico and midnight commander. I even tried to copy, move and to 
echo into the file. To no avail. User "root" didn't have the permission to 
modify /etc/shadow on that system. 

Comparance of /proc/ksyms with a reference system did suggest that a 
malicious kernel module had been inserted, responsible for that hickup. 

Apparently the insertion of this module was done before /etc/rc.d/rc.sysinit 
was completly executed upon server startup and the file had not been 
modified. At that point I aborted my audit and suggested an OS restore. Now I 
wish I had at least taken the bandwith-monitoring module apart, as it seems 
to have been replaced with the malicious LKM. Nothing else would make sense. 
:o/

-- 

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer

Follow-Ups:
- Re[4]: [cobalt-security] amd root?
  - From: Eugene Crosser

References:
- [cobalt-security] amd root?
  - From: Jeff Lasman
- Re: [cobalt-security] amd root?
  - From: Michael Stauber
- Re[2]: [cobalt-security] amd root?
  - From: Eugene Crosser

Prev by Date: [cobalt-security] /usr/local/sbin/monitor failure
Next by Date: Re: SV: [cobalt-security] amd root?
Previous by thread: Re[2]: [cobalt-security] amd root?
Next by thread: Re[4]: [cobalt-security] amd root?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index