[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Have you been hacked?

Subject: Re: [cobalt-security] Have you been hacked?
From: Daniel Phillips <danielp@xxxxxxxxxxx>
Date: Fri, 12 Jul 2002 18:39:41 +1000
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

I get the same result on my Raq3.

> ..?.....   /usr/bin/chfn
> ..?.....   /usr/bin/chsh
> .M?.....   /usr/bin/newgrp
> .M......   /usr/bin/write

The question marks there mean that the rpm program can't verify the
contents of those three files (it can't calculate their MD5 hashes)
because it doesn't have permission to read them.  This is what those
files look like on my machine:

$ ls -l  /usr/bin/chfn  /usr/bin/chsh  /usr/bin/newgrp
-rws--x--x   1 root     root        14088 Apr 17  1999 /usr/bin/chfn
-rws--x--x   1 root     root        13800 Apr 17  1999 /usr/bin/chsh
-rwx--x--x   1 root     root         5576 Apr 17  1999 /usr/bin/newgrp

If I log in as root, and do that "rpm -Vf ..." thing again, then those
three question marks don't appear; so there doesn't seem to be a problem
here.

The M's mean that the permissions or ownerships of those two files have
changed (as Glen Scott pointed out).  This is what they look like on my
machine:

$ ls -l  /usr/bin/newgrp  /usr/bin/write
-rwx--x--x   1 root     root         5576 Apr 17  1999 /usr/bin/newgrp
-rwxr-xr-x   1 root     tty          8392 Apr 17  1999 /usr/bin/write

Neither one looks suspicious to me.  (Does anyone know how to  find out
the original permissions with rpm?)   So again there doesn't seem to be
a problem here.


On Thu, 11 Jul 2002 16:25:57 -0700 (PDT)
Webdev <wserv_discuss@xxxxxxxxx> wrote:

> Hi.
> 
> I got this from my provider security list:
> 
> ------------------------------------------------------
> Have you been hacked?
> 
> 
> To determine if your server has been compromised,
> using recent BIND exploits or any other security hole,
> check the following command at the command prompt...
> 
> rpm -Vf /bin/login /usr/sbin/tcpd | grep bin
> 
> If you get any result - your server has most likely
> been compromised.
> ------------------------------------------------------
> 
> I tried the above command on IBM Linux and showed no
> output GREAT..
> 
> BUT with the RaQ4 server it showed the below output:
> 
> ..?.....   /usr/bin/chfn
> ..?.....   /usr/bin/chsh
> .M?.....   /usr/bin/newgrp
> .M......   /usr/bin/write
> 
> anyone knows why?? and what these outputs means!
> 
> Thanks
> wserv_discuss@xxxxxxxxx
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Sign up for SBC Yahoo! Dial - First Month Free
> http://sbc.yahoo.com
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

Follow-Ups:
- Re: [cobalt-security] Have you been hacked?
  - From: Daniel Phillips
- Re: [cobalt-security] Have you been hacked?
  - From: Webdev
- Re: [cobalt-security] Have you been hacked?
  - From: David Seaton

References:
- Re: [cobalt-security] Apache Patche - Apache Version Number Does Not Change
  - From: Steve Werby
- [cobalt-security] Have you been hacked?
  - From: Webdev

Prev by Date: Re: [cobalt-security] Have you been hacked?
Next by Date: Re: [cobalt-security] Have you been hacked?
Previous by thread: Re: [cobalt-security] Have you been hacked?
Next by thread: Re: [cobalt-security] Have you been hacked?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index