[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Have you been hacked?

Subject: Re: [cobalt-security] Have you been hacked?
From: Webdev <wserv_discuss@xxxxxxxxx>
Date: Fri, 12 Jul 2002 03:51:37 -0700 (PDT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hello Daniel,

Thanks for the detailed answer.  When I login as a
root and execute that rpm -Vf .. command I get only
two files (but on admin I get 4 three with ? marks as
I mentioned in my first msg):

Under root the command shows:

.M......   /usr/bin/newgrp
.M......   /usr/bin/write

These my 2 files permissions on my server:

ls -l  /usr/bin/newgrp  /usr/bin/write
-rwx--x--x   1 root     root         5780 Jun 20  2000
/usr/bin/newgrp
-rwxr-xr-x   1 root     tty          8648 Jun 20  2000
/usr/bin/write

Thanks
wserv_discuss@xxxxxxxxx


--- Daniel Phillips <danielp@xxxxxxxxxxx> wrote:
> I get the same result on my Raq3.
> 
> > ..?.....   /usr/bin/chfn
> > ..?.....   /usr/bin/chsh
> > .M?.....   /usr/bin/newgrp
> > .M......   /usr/bin/write
> 
> The question marks there mean that the rpm program
> can't verify the
> contents of those three files (it can't calculate
> their MD5 hashes)
> because it doesn't have permission to read them. 
> This is what those
> files look like on my machine:
> 
> $ ls -l  /usr/bin/chfn  /usr/bin/chsh 
> /usr/bin/newgrp
> -rws--x--x   1 root     root        14088 Apr 17 
> 1999 /usr/bin/chfn
> -rws--x--x   1 root     root        13800 Apr 17 
> 1999 /usr/bin/chsh
> -rwx--x--x   1 root     root         5576 Apr 17 
> 1999 /usr/bin/newgrp
> 
> If I log in as root, and do that "rpm -Vf ..." thing
> again, then those
> three question marks don't appear; so there doesn't
> seem to be a problem
> here.
> 
> The M's mean that the permissions or ownerships of
> those two files have
> changed (as Glen Scott pointed out).  This is what
> they look like on my
> machine:
> 
> $ ls -l  /usr/bin/newgrp  /usr/bin/write
> -rwx--x--x   1 root     root         5576 Apr 17 
> 1999 /usr/bin/newgrp
> -rwxr-xr-x   1 root     tty          8392 Apr 17 
> 1999 /usr/bin/write
> 
> Neither one looks suspicious to me.  (Does anyone
> know how to  find out
> the original permissions with rpm?)   So again there
> doesn't seem to be
> a problem here.


__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

References:
- Re: [cobalt-security] Have you been hacked?
  - From: Daniel Phillips

Prev by Date: Re: [cobalt-security] Have you been hacked?
Next by Date: RE: [cobalt-security] Have you been hacked?
Previous by thread: Re: [cobalt-security] Have you been hacked?
Next by thread: Re: [cobalt-security] Have you been hacked?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index