RE: [cobalt-users] last bit of hacker droppings.

["Tony" <isplists@xxxxxxxxxxxx>]

+> } [root /etc]# crontab -u root -l
+> } # DO NOT EDIT THIS FILE - edit the master and reinstall.
+> } # (/cr0n installed on Tue Feb 13 23:17:54 2001)
+> } # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37
+vixie Exp $)
+> } */5 * * * * /usr/sbin/init
+>
+>
+Ran "./chkrootkit" results in nothing found, but
+running "chkrootkit -x | more "
+revealed all of these which looked similar to the above???
+$Id: cron.c,v 2.11 1994/01/15 20:43:43 vixie Exp $
+$Id: database.c,v 2.8 1994/01/15 20:43:43 vixie Exp $
+$Id: user.c,v 2.8 1994/01/15 20:43:43 vixie Exp $
+$Id: entry.c,v 2.12 1994/01/17 03:20:37 vixie Exp $
+$Id: job.c,v 1.6 1994/01/15 20:43:43 vixie Exp $
+$Id: do_command.c,v 2.12 1994/01/15 20:43:43 vixie Exp $
+$Id: misc.c,v 2.9 1994/01/15 20:43:43 vixie Exp $
+$Id: env.c,v 2.6 1994/01/15 20:43:43 vixie Exp $
+$Id: popen.c,v 1.5 1994/01/15 20:43:43 vixie Exp $
+@(#)popen.c
+5.7 (Berkeley) 2/14/89
+$Id: compat.c,v 1.6 1994/01/15 20:43:43 vixie Exp $
+Are they BAD! Waht is vixie?
+Gerald

That's why I asked...I edited regular user's cron's with the standard cron
flags
but I never did root's on a Raq. The line with /cr0n is the time stamp of
the hack.
If this is right it's saying that the Cron version is 2.13 1994 ????
Vixie is the name of the cron program...vixie cron...and there were several
exploits
in the recent past with the older versions. Bugtraq should have an archive
of it.

It sounds like our hacker replaced cron too but the unhack.pl script didn't
pick that up.
Does anyone have any checksums of good cron files?


tony