it looks suspicious, esp. after just coming back three days ago from a hack. But I don't see this port anywhere in the services file, and I haven't been able to really find anythingcraig it's definitely a backdoor. anything that puts "sh" in your inetd.conf is a backdoor. strip it out immediately.
Thanks for all your replies. I've come to agree after reading up on bash a little more.. I stripped it out and ran md5sum on all the files and compared their values to this list that Tony posted.. Everything looked good and matched up...
http://list.cobalt.com/pipermail/cobalt-users/2001-February/032902.htmlNow all I have to figure out is if someone actually did get into the machine, or was this placed in there purposely by someone at my NOC when they reloaded the machine two days ago.. --OR-- they did mention they were using a "burned" CD to restore the box.. I'm wondering if that might have been in the org files off the CD... I've noticed that many of the important files have dates of around Dec '96... When my other two boxes have dates closer to the present.
I'm not sure, but knowing that all the patches/updates along with the other security precautions I installed, were all put on that box as soon as it came up... BIND patch and other Cobalt plugs were put on *before* the box came live... So I really need to figure out "HOW" or "WHO" placed that line in inetd.conf... I've looked over bash history and everything looks clean... Hell it's not that large, the box has only been up for 48 hours..
-Craig _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com