[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] gmon.out a security issue?
- Subject: Re: [cobalt-security] gmon.out a security issue?
- From: Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 2 Apr 2002 22:50:41 -0500
- Organization: Front Street Networks LLC
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Tuesday 02 April 2002 09:53 pm, Gerald Waugh wrote:
> -rw-r--r-- 1 root root 1095 Apr 1 14:04 /gmon.out
> I found one on one of my RaQ4s
> Notice the date Apr 1
> is this a fools file?
=================== M O R E =================
[root /]# ls -l -R | grep "Apr 1 14:"
-rw-r--r-- 1 root root 1095 Apr 1 14:04 gmon.out
-rw------- 1 root root 32768 Apr 1 14:02 adm_ssl_scache.pag
drwxrwsr-x 19 nobody site2 1024 Apr 1 14:02 web
-rw-rw-r-- 1 nobody site2 9098 Apr 1 14:01 index.html
Apr 1 13:58:12 fsn3 sshd[1086]: Accepted password for admin from
216.47.168.9 port 55842 ssh2
Apr 1 13:58:12 fsn3 PAM_pwdb[1086]: (sshd) session opened for user admin by
(uid=0)
Apr 1 14:02:03 fsn3 sshd[1086]: Received disconnect from 216.47.168.9: 11:
All open channels closed
Apr 1 14:02:03 fsn3 PAM_pwdb[1086]: (sshd) session closed for user admin
Now, admin logged onto the server at 13:58:12 on Apr 1st
and
logged out at 14:02:03 on Apr 1st
admin edited site2/index.html
admin logged into the admin GUI at 14:02:56
[01/Apr/2002:14:02:57 -0500] "GET /cgi-bin/.cobalt/siteList/siteList.cgi
[01/Apr/2002:14:02:58 -0500] "GET /cgi-bin/.cobalt/alertSignal/alertSignal.cgi
[01/Apr/2002:14:03:01 -0500] "GET /cgi-bin/.cobalt/siteList/siteList.cgi
[01/Apr/2002:14:03:02 -0500] "GET /cgi-bin/.cobalt/alertSignal/alertSignal.cgi
[01/Apr/2002:14:03:20 -0500] "GET/cgi-bin/.cobalt/alert/alert.cgi
[01/Apr/2002:14:03:23 -0500] "GET /cgi-bin/.cobalt/alertSignal/alertSignal.cgi
[01/Apr/2002:14:03:24 -0500] "GET /cgi-bin/.cobalt/alert/alert.cgi
[01/Apr/2002:14:03:28 -0500] "GET /cgi-bin/.cobalt/raidUsage/raidUsage.cgi
[01/Apr/2002:14:03:35 -0500] "GET /cgi-bin/.cobalt/alert/alert.cgi
[01/Apr/2002:14:03:44 -0500] "GET /cgi-bin/.cobalt/alertSignal/alertSignal.cgi
[01/Apr/2002:14:03:45 -0500] "GET /cgi-bin/.cobalt/siteList/siteList.cg
[01/Apr/2002:14:03:58 -0500] "GET /cgi-bin/.cobalt/alertSignal/alertSignal.cgi
[01/Apr/2002:14:03:58 -0500] "GET /cgi-bin/.cobalt/alert/alert.cgi
[01/Apr/2002:14:04:04 -0500] "GET /cgi-bin/.cobalt/alert/service.cgi
and logged out at 14:04:51
Maybe one of these cgi`s did it???
I can't find where anyone else was logged into this server at those times???
-
Gerald Waugh : Registered Linux user # 255245
http://www.frontstreetnetworks.com
Front Street Networks LLC - ph. 203.785.0699
229 Front Street, Ste. #C, New Haven, CT, United States of America
10:08pm up 12 days, 6:33, 3 users, load average: 2.03, 1.77, 1.64