[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Have you been hacked?
- Subject: Re: [cobalt-security] Have you been hacked?
- From: Daniel Phillips <danielp@xxxxxxxxxxx>
- Date: Fri, 12 Jul 2002 18:39:41 +1000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I get the same result on my Raq3.
> ..?..... /usr/bin/chfn
> ..?..... /usr/bin/chsh
> .M?..... /usr/bin/newgrp
> .M...... /usr/bin/write
The question marks there mean that the rpm program can't verify the
contents of those three files (it can't calculate their MD5 hashes)
because it doesn't have permission to read them. This is what those
files look like on my machine:
$ ls -l /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp
-rws--x--x 1 root root 14088 Apr 17 1999 /usr/bin/chfn
-rws--x--x 1 root root 13800 Apr 17 1999 /usr/bin/chsh
-rwx--x--x 1 root root 5576 Apr 17 1999 /usr/bin/newgrp
If I log in as root, and do that "rpm -Vf ..." thing again, then those
three question marks don't appear; so there doesn't seem to be a problem
here.
The M's mean that the permissions or ownerships of those two files have
changed (as Glen Scott pointed out). This is what they look like on my
machine:
$ ls -l /usr/bin/newgrp /usr/bin/write
-rwx--x--x 1 root root 5576 Apr 17 1999 /usr/bin/newgrp
-rwxr-xr-x 1 root tty 8392 Apr 17 1999 /usr/bin/write
Neither one looks suspicious to me. (Does anyone know how to find out
the original permissions with rpm?) So again there doesn't seem to be
a problem here.
On Thu, 11 Jul 2002 16:25:57 -0700 (PDT)
Webdev <wserv_discuss@xxxxxxxxx> wrote:
> Hi.
>
> I got this from my provider security list:
>
> ------------------------------------------------------
> Have you been hacked?
>
>
> To determine if your server has been compromised,
> using recent BIND exploits or any other security hole,
> check the following command at the command prompt...
>
> rpm -Vf /bin/login /usr/sbin/tcpd | grep bin
>
> If you get any result - your server has most likely
> been compromised.
> ------------------------------------------------------
>
> I tried the above command on IBM Linux and showed no
> output GREAT..
>
> BUT with the RaQ4 server it showed the below output:
>
> ..?..... /usr/bin/chfn
> ..?..... /usr/bin/chsh
> .M?..... /usr/bin/newgrp
> .M...... /usr/bin/write
>
> anyone knows why?? and what these outputs means!
>
> Thanks
> wserv_discuss@xxxxxxxxx
>
>
> __________________________________________________
> Do You Yahoo!?
> Sign up for SBC Yahoo! Dial - First Month Free
> http://sbc.yahoo.com
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security