[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re:[2] [cobalt-users] Bind Hack - added files
- Subject: Re: Re:[2] [cobalt-users] Bind Hack - added files
- From: "Steve Bassi" <steve@xxxxxxxxx>
- Date: Sat Feb 17 17:27:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Carrie have a look again :
This is what you are looking for, if you have these you have been hacked. I
have a RAQ at UK2 and mine was lucky and wasnt hacked. Many were sadly.
Rgds
Steve Bassi
The following directory was added and contains the rootkit:
/lib/security/.config
The following files were added which were not present before:
"/bin/xlogin",
"/etc/ld.so.hash",
"/sbin/login",
"/usr/bin/ssh2d",
"/usr/lib/crth.o",
The following files are modified: (Filename + MD5 checksum for good
version)
'/bin/login' =>
'e400921eb6a2c84822c5d7de5b4f3057',
'/bin/ls' =>
'f482ae701e46005a358a01c139f1ae74',
'/bin/netstat' =>
'd0eaec3e6bf397c5a81ce3d19ecd7527',
'/bin/ping' =>
'9360094b873124bd6b2ac110ea6a5d20',
'/bin/ps' =>
'6d16efee5baecce7a6db7d1e1a088813',
'/bin/su' =>
'231be390b7abe8c8ea5e3d9ee0dc8868',
'/etc/rc.d/init.d/network' =>
'02dee8e3f98e15ede99e77726d1db570',
'/usr/bin/dir' =>
'b1713d95fd6664c216ccd113cd1c366a',
'/usr/bin/du' =>
'5b1e21c2ec8de4676d296df4aee68dbb',
'/usr/bin/find' =>
'591b34668b1e346061d316e195a22682',
'/usr/bin/passwd' =>
'b0ea7b138e3fab9a4d116a3d05685147',
'/usr/sbin/in.telnetd' =>
'42779825eccdcf19cca89e25d71ab440',
'/usr/sbin/named' =>
'db0778ea46c32dd4fded58df21b84500',
'/usr/sbin/sendmail' =>
'90ccd5bddf9f75d5b6caf78b4fa5f1c1',