[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Possible hack?
- Subject: [cobalt-users] Possible hack?
- From: "cars-sold.com" <info@xxxxxxxxxxxxx>
- Date: Mon May 22 10:03:25 2000
Hi
We had a customer on one of our RAQ3's who used his account to spam - we
shut him down pretty quick and while cleaning up found the following. Is
this possible trojans - new files changes in UID??
[root@ns admin]# find / -user root -perm -4000 -print
find: /proc/8603/fd/4: No such file or directory
/bin/su
/bin/login
/sbin/pwdb_chkpwd
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/rcp
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/crontab
/usr/local/majordomo/wrapper
/usr/local/frontpage/version4.0/apache-fp/_vti_bin/fpexe
/usr/sbin/cmos
/usr/sbin/sendmail
/usr/sbin/traceroute
/usr/libexec/pt_chown
/usr/knox/bin/nlservd
/usr/knox/bin/rnavc
/usr/cgiwrap/cgiwrap
/usr/cgiwrap/cgiwrapd
Maybe being paranoid but this is a check recomended by CERT* Advisory
CA-94.01
to find new or modified setuid root files. Maybe you could advise if this is
a problem? Any help would be appreciated.
Gary