[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Recent Hacks
- Subject: Re: [cobalt-users] Recent Hacks
- From: "Steve Bassi" <steve@xxxxxxxxx>
- Date: Thu Feb 8 17:53:42 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> Does any one know what vulnerability was exploited that caused people to
not
> be able to login via telnet(error: missing /bin/login) and FTP ?
>
> BIND?
> PROFTPD?
This is what was discovered on our User Group in the UK
The following files are modified: (Filename + MD5 checksum for good version)
'/bin/login' => 'e400921eb6a2c84822c5d7de5b4f3057',
'/bin/ls' => 'f482ae701e46005a358a01c139f1ae74',
'/bin/netstat' => 'd0eaec3e6bf397c5a81ce3d19ecd7527',
'/bin/ping' => '9360094b873124bd6b2ac110ea6a5d20',
'/bin/ps' => '6d16efee5baecce7a6db7d1e1a088813',
'/bin/su' => '231be390b7abe8c8ea5e3d9ee0dc8868',
'/etc/rc.d/init.d/network' => '02dee8e3f98e15ede99e77726d1db570',
'/usr/bin/dir' => 'b1713d95fd6664c216ccd113cd1c366a',
'/usr/bin/du' => '5b1e21c2ec8de4676d296df4aee68dbb',
'/usr/bin/find' => '591b34668b1e346061d316e195a22682',
'/usr/bin/passwd' => 'b0ea7b138e3fab9a4d116a3d05685147',
'/usr/sbin/in.telnetd' => '42779825eccdcf19cca89e25d71ab440',
'/usr/sbin/named' => 'db0778ea46c32dd4fded58df21b84500',
'/usr/sbin/sendmail' => '90ccd5bddf9f75d5b6caf78b4fa5f1c1',
This file might have been altered (or alternatively, I may have had a
different version of ipchains installed on my machine):
'/sbin/ipchains' => '25861e4b1dc52f09f4a3889e00f81ac4'
The following files were added which were not present before:
"/bin/xlogin",
"/etc/ld.so.hash",
"/sbin/login",
"/usr/bin/ssh2d",
"/usr/lib/crth.o",
The following directory was added and contains the rootkit:
/lib/security/.config
Rgds
Steve Bassi