[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Have you been hacked?
- Subject: Re: [cobalt-security] Have you been hacked?
- From: Daniel Phillips <danielp@xxxxxxxxxxx>
- Date: Mon, 15 Jul 2002 19:52:45 +1000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Those two "M" files seem to be ok to me. Here's what they were
originally (thanks for the rpm tip, Graeme) :
# rpm -qvlif /usr/bin/newgrp | grep bin/newgrp
-rws--x--x root root 5576 Apr 17 1999 /usr/bin/newgrp
# rpm -qvlif /usr/bin/write | grep bin/write
-rwxr-sr-x root tty 8392 Apr 17 1999 /usr/bin/write
Their permissions were changed to this (on my machine) :
# ls -l /usr/bin/newgrp /usr/bin/write
-rwx--x--x 1 root root 5576 Apr 17 1999 /usr/bin/newgrp
-rwxr-xr-x 1 root tty 8392 Apr 17 1999 /usr/bin/write
That is, newgrp and write respectively had their SUID and SGID bits
cleared. In other words, the security on these files has been
*tightened*.
These files are config files:
> > S.5....T c /etc/pam.d/chfn
> > S.5....T c /etc/pam.d/chsh
> > S.5....T c /etc/pam.d/login
The S means the size has changed, the 5 means the contents of the file
has changed, the T means the modification time has changed, and the c
means they are config files. But it's not unusual at all for config
files to be changed, so that doesn't point to anything immediately
sinister ... but if you wanted to know for sure, you'd have to inspect
them and work out what is going on of course.
On Mon, 15 Jul 2002 03:54:21 -0400
"David Seaton" <david@xxxxxxxxxxx> wrote:
> Martin,
> No, it's cool man, I -think- everything is fine. Nobody seemed to say anything
> about the last two
> > .M...... /usr/bin/newgrp
> > .M...... /usr/bin/write
> I was just asking about the other messages.
> > S.5....T c /etc/pam.d/chfn
> > S.5....T c /etc/pam.d/chsh
> > S.5....T c /etc/pam.d/login
> If you note, I did not use the "|grep bin" at the end of my execution string.
> Curiosity I suppose.
>
>
> ----- Original Message -----
> From: "Martín Fiumara" <martinfiumara@xxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Sent: Monday, July 15, 2002 3:37 AM
> Subject: Re: [cobalt-security] Have you been hacked?
>
>
> David, can you tell me what that result means? Im just learning Linux basics
> :)
> Means that the server has been hacked?
> If not, must I reinstall something o fix something? The raq3 has all the
> cobalt patches uptodate....
>
> Thanks for the help
>
>
> ----- Original Message -----
> From: "David Seaton" <david@xxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Sent: Monday, July 15, 2002 4:07 AM
> Subject: Re: [cobalt-security] Have you been hacked?
>
>
> > Just for fun I checked myself with:
> > rpm -Vf /bin/login /usr/sbin/tcpd
> >
> > and results where:
> > S.5....T c /etc/pam.d/chfn
> > S.5....T c /etc/pam.d/chsh
> > S.5....T c /etc/pam.d/login
> > .M...... /usr/bin/newgrp
> > .M...... /usr/bin/write
> >
> > Nothing to worry about right?
> >
> > -David Seaton
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security