[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Recent Hacks
- Subject: Re: [cobalt-users] Recent Hacks
- From: "fastmedia" <inc@xxxxxxxxxxxxx>
- Date: Thu Feb 8 19:52:06 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
I have a number of these files present on my system, dated just short of 24
hours ago. particularly the rootkit. i'm not sure how to get an MD5
checksum. can i just delete the rootkit? it's defintely a rootkit?
i'm changing passwords now
> This is what was discovered on our User Group in the UK
>
> The following files are modified: (Filename + MD5 checksum for good
version)
>
> '/bin/login' => 'e400921eb6a2c84822c5d7de5b4f3057',
> '/bin/ls' => 'f482ae701e46005a358a01c139f1ae74',
> '/bin/netstat' => 'd0eaec3e6bf397c5a81ce3d19ecd7527',
> '/bin/ping' => '9360094b873124bd6b2ac110ea6a5d20',
> '/bin/ps' => '6d16efee5baecce7a6db7d1e1a088813',
> '/bin/su' => '231be390b7abe8c8ea5e3d9ee0dc8868',
> '/etc/rc.d/init.d/network' => '02dee8e3f98e15ede99e77726d1db570',
> '/usr/bin/dir' => 'b1713d95fd6664c216ccd113cd1c366a',
> '/usr/bin/du' => '5b1e21c2ec8de4676d296df4aee68dbb',
> '/usr/bin/find' => '591b34668b1e346061d316e195a22682',
> '/usr/bin/passwd' => 'b0ea7b138e3fab9a4d116a3d05685147',
> '/usr/sbin/in.telnetd' => '42779825eccdcf19cca89e25d71ab440',
> '/usr/sbin/named' => 'db0778ea46c32dd4fded58df21b84500',
> '/usr/sbin/sendmail' => '90ccd5bddf9f75d5b6caf78b4fa5f1c1',
>
> This file might have been altered (or alternatively, I may have had a
> different version of ipchains installed on my machine):
>
> '/sbin/ipchains' => '25861e4b1dc52f09f4a3889e00f81ac4'
>
> The following files were added which were not present before:
>
> "/bin/xlogin",
> "/etc/ld.so.hash",
> "/sbin/login",
> "/usr/bin/ssh2d",
> "/usr/lib/crth.o",
>
> The following directory was added and contains the rootkit:
>
> /lib/security/.config
>
>
> Rgds
>
> Steve Bassi