[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] gmon.out a security issue?

Subject: Re: [cobalt-security] gmon.out a security issue?
From: Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 2 Apr 2002 22:50:41 -0500
Organization: Front Street Networks LLC
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Tuesday 02 April 2002 09:53 pm, Gerald Waugh wrote:
> -rw-r--r--  1 root  root  1095 Apr  1 14:04 /gmon.out
> I found one on one of my RaQ4s
> Notice the date Apr 1
> is this a fools file?
=================== M O R E =================
[root /]# ls -l -R | grep "Apr  1 14:"
-rw-r--r--   1 root   root          1095 Apr  1 14:04 gmon.out
-rw-------   1 root   root        32768 Apr  1 14:02 adm_ssl_scache.pag
drwxrwsr-x  19 nobody site2   1024 Apr  1 14:02 web
-rw-rw-r--   1 nobody   site2   9098 Apr  1 14:01 index.html

Apr  1 13:58:12 fsn3 sshd[1086]: Accepted password for admin from 
216.47.168.9 port 55842 ssh2
Apr  1 13:58:12 fsn3 PAM_pwdb[1086]: (sshd) session opened for user admin by 
(uid=0)
Apr  1 14:02:03 fsn3 sshd[1086]: Received disconnect from 216.47.168.9: 11: 
All open channels closed
Apr  1 14:02:03 fsn3 PAM_pwdb[1086]: (sshd) session closed for user admin

Now, admin logged onto the server at 13:58:12 on Apr 1st
and
logged out at 14:02:03 on Apr 1st
admin edited site2/index.html 

admin logged into the admin GUI at  14:02:56
[01/Apr/2002:14:02:57 -0500] "GET /cgi-bin/.cobalt/siteList/siteList.cgi
[01/Apr/2002:14:02:58 -0500] "GET /cgi-bin/.cobalt/alertSignal/alertSignal.cgi
[01/Apr/2002:14:03:01 -0500] "GET /cgi-bin/.cobalt/siteList/siteList.cgi
[01/Apr/2002:14:03:02 -0500] "GET /cgi-bin/.cobalt/alertSignal/alertSignal.cgi
[01/Apr/2002:14:03:20 -0500] "GET/cgi-bin/.cobalt/alert/alert.cgi
[01/Apr/2002:14:03:23 -0500] "GET /cgi-bin/.cobalt/alertSignal/alertSignal.cgi
[01/Apr/2002:14:03:24 -0500] "GET /cgi-bin/.cobalt/alert/alert.cgi
[01/Apr/2002:14:03:28 -0500] "GET /cgi-bin/.cobalt/raidUsage/raidUsage.cgi
[01/Apr/2002:14:03:35 -0500] "GET /cgi-bin/.cobalt/alert/alert.cgi
[01/Apr/2002:14:03:44 -0500] "GET /cgi-bin/.cobalt/alertSignal/alertSignal.cgi
[01/Apr/2002:14:03:45 -0500] "GET /cgi-bin/.cobalt/siteList/siteList.cg
[01/Apr/2002:14:03:58 -0500] "GET /cgi-bin/.cobalt/alertSignal/alertSignal.cgi
[01/Apr/2002:14:03:58 -0500] "GET /cgi-bin/.cobalt/alert/alert.cgi
[01/Apr/2002:14:04:04 -0500] "GET /cgi-bin/.cobalt/alert/service.cgi
and logged out at  14:04:51

Maybe one of these cgi`s did it???

I can't find where anyone else was logged into this server at those times???

- 
Gerald Waugh : Registered Linux user # 255245
http://www.frontstreetnetworks.com
Front Street Networks LLC - ph. 203.785.0699
229 Front Street, Ste. #C, New Haven, CT, United States of America
10:08pm up 12 days, 6:33, 3 users, load average: 2.03, 1.77, 1.64

Follow-Ups:
- Re: [cobalt-security] gmon.out a security issue?
  - From: Gerald Waugh
- Re: [cobalt-security] gmon.out a security issue?
  - From: Gerald Waugh
- Re: [cobalt-security] gmon.out a security issue?
  - From: Jeff Lasman
- Re: [cobalt-security] gmon.out a security issue?
  - From: Gerald Waugh

References:
- [cobalt-security] gmon.out a security issue?
  - From: Jeff Lasman
- Re: [cobalt-security] gmon.out a security issue?
  - From: Jeff Lasman
- Re: [cobalt-security] gmon.out a security issue?
  - From: Gerald Waugh

Prev by Date: Re: [cobalt-security] gmon.out a security issue?
Next by Date: Re: [cobalt-security] gmon.out a security issue?
Previous by thread: Re: [cobalt-security] gmon.out a security issue?
Next by thread: Re: [cobalt-security] gmon.out a security issue?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index