Re: [cobalt-users] Signs That Your System May Have Been Compromised

[enrique <enrique@xxxxxxxxxxxx>]

On Saturday, August 11, 2001, at 08:52 AM, Bradley Caricofe wrote:

> I've got all the latest patches on my machine, if someone else has too 
> I'd
> like to know how the intruders got in
>
> Brad

Brad, I was not totally up to date when the hacker got in. As far as 
knowing how, well since I'm not an "expert", I don't know exactly how 
they got in.  The hacker named "The Dwarf" did get into one of the 
virtual sites and modified the index.html file to brag about their break 
in. I noticed in the logs that they had executed a remote command with 
"echo ..." which makes me believe that they used http somehow. They also 
deleted a .htaccess file, but I don't know which one. I thought that 
maybe each virtual site has an .htaccess file automatically generated by 
the cobalt gui, but I haven't found anything to indicate that this is so.

Anyway, I would still like to know if anyone else may have gotten 
similar results to the command "find / -user root -perm -4000 -print." 
The results I got concern me, but I've been unable to get any response 
as to the seriousness of the potential compromise.

find: /proc/6/fd: Permission denied
find: /proc/1726/fd/4: No such file or directory
/bin/su
/bin/login
/sbin/pwdb_chkpwd
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/rcp
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/ssh
/usr/local/bin/ssh1
/usr/local/majordomo/wrapper
/usr/local/frontpage/version4.0/apache-fp/_vti_bin/fpexe
/usr/sbin/cmos
/usr/sbin/sendmail
/usr/sbin/traceroute
/usr/libexec/pt_chown
/usr/cgiwrap/cgiwrap
/usr/cgiwrap/cgiwrapd
/usr/cgiwrap/nph-cgiwrap
/usr/cgiwrap/nph-cgiwrapd

I have not run all the tests described to check the system, but since I 
got the results above, I thought I would ask and see if I could learn a 
little more before I go too far.

Thank you for your support!

enrique