[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Have you been hacked?

Hi,
The rpm -Vf command verifies the file specified against the information about the original installed files stored in the rpm database. Do a 'man rpm' for more info. This command can be useful to tell whether files have been modified in any way since the original install.
In your case, it seems that the files are failing the 'Mode' test. This could mean the ownership/file permissions have been altered. 

Whether this is a cause for alarm is another matter entirely.

Regards,

Glen Scott



I got this from my provider security list:

------------------------------------------------------
Have you been hacked?


To determine if your server has been compromised,
using recent BIND exploits or any other security hole,
check the following command at the command prompt...

rpm -Vf /bin/login /usr/sbin/tcpd | grep bin

If you get any result - your server has most likely
been compromised.
------------------------------------------------------

I tried the above command on IBM Linux and showed no
output GREAT..

BUT with the RaQ4 server it showed the below output:

..?.....   /usr/bin/chfn
..?.....   /usr/bin/chsh
.M?.....   /usr/bin/newgrp
.M......   /usr/bin/write

anyone knows why?? and what these outputs means!

Thanks
wserv_discuss@xxxxxxxxx


__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security


--

Get your own FREE TaskManager at: http://tasks.dessol.net/
---
  Design Solution Limited
  t: +44 (0)1502 513008
  f: +44 (0)870 460 2518
  e: info@xxxxxxxxxxxxxxxxxxxx
  w: http://www.designsolution.co.uk
  Nouvotech House, Harbour Road,
  Oulton Broad, Suffolk, NR32 3LZ, UK
---