[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Have you been hacked?
- Subject: Re: [cobalt-security] Have you been hacked?
- From: Webdev <wserv_discuss@xxxxxxxxx>
- Date: Fri, 12 Jul 2002 03:51:37 -0700 (PDT)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hello Daniel,
Thanks for the detailed answer. When I login as a
root and execute that rpm -Vf .. command I get only
two files (but on admin I get 4 three with ? marks as
I mentioned in my first msg):
Under root the command shows:
.M...... /usr/bin/newgrp
.M...... /usr/bin/write
These my 2 files permissions on my server:
ls -l /usr/bin/newgrp /usr/bin/write
-rwx--x--x 1 root root 5780 Jun 20 2000
/usr/bin/newgrp
-rwxr-xr-x 1 root tty 8648 Jun 20 2000
/usr/bin/write
Thanks
wserv_discuss@xxxxxxxxx
--- Daniel Phillips <danielp@xxxxxxxxxxx> wrote:
> I get the same result on my Raq3.
>
> > ..?..... /usr/bin/chfn
> > ..?..... /usr/bin/chsh
> > .M?..... /usr/bin/newgrp
> > .M...... /usr/bin/write
>
> The question marks there mean that the rpm program
> can't verify the
> contents of those three files (it can't calculate
> their MD5 hashes)
> because it doesn't have permission to read them.
> This is what those
> files look like on my machine:
>
> $ ls -l /usr/bin/chfn /usr/bin/chsh
> /usr/bin/newgrp
> -rws--x--x 1 root root 14088 Apr 17
> 1999 /usr/bin/chfn
> -rws--x--x 1 root root 13800 Apr 17
> 1999 /usr/bin/chsh
> -rwx--x--x 1 root root 5576 Apr 17
> 1999 /usr/bin/newgrp
>
> If I log in as root, and do that "rpm -Vf ..." thing
> again, then those
> three question marks don't appear; so there doesn't
> seem to be a problem
> here.
>
> The M's mean that the permissions or ownerships of
> those two files have
> changed (as Glen Scott pointed out). This is what
> they look like on my
> machine:
>
> $ ls -l /usr/bin/newgrp /usr/bin/write
> -rwx--x--x 1 root root 5576 Apr 17
> 1999 /usr/bin/newgrp
> -rwxr-xr-x 1 root tty 8392 Apr 17
> 1999 /usr/bin/write
>
> Neither one looks suspicious to me. (Does anyone
> know how to find out
> the original permissions with rpm?) So again there
> doesn't seem to be
> a problem here.
__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com