[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Compromised?
- Subject: Re: [cobalt-security] Compromised?
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Mon, 16 Dec 2002 10:35:38 -0500
- Organization: Befriend Internet Services LLC
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
"David Smulsky" <dave@xxxxxxxxxxxxxxxx> wrote:
> I have a Raq550, and for no reason as far as I can tell, my mrtg daemons
> stoped this last friday at night, and this morning when I realized it, I
ran
> chkroot, everything came up clean EXCEPT /root/.bash_history was zero
> bytes..
>
> Is there any possiable way raq's do this to themselfs, our should I be
> seriouly looking for a hacker, I cant seem to find a trace.
Unless you've made changes to bash's behavior from that on a stock 550
~root/.bash_history doesn't get cleared out. So if the file is chmod 600,
owned by root:root like it should be that's likely the result of a rootkit
or manual command by an intruder to cover his/her tracks. Unless of course
you've never logged in via the shell as root and executed a command. If it
was my box or a client's I'd definitely investigate.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/