[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Signs That Your System May Have Been Compromised
- Subject: Re: [cobalt-users] Signs That Your System May Have Been Compromised
- From: enrique <enrique@xxxxxxxxxxxx>
- Date: Sun Aug 12 11:59:19 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Saturday, August 11, 2001, at 07:27 AM, Dan Kriwitsky wrote:
There are dozens of old hack discussions in the archives. Just search
for "I've been hacked"
Dan, thanks for the input, but I have to tell you that I've spent the
last three weeks reading the archives. The archive is what sent me to
cert.org, and made me start looking into the directions they gave to
find out if I'd been compromised. As far as I know, there is nothing in
the archives about using the command "find / -user root -perm -4000
-print"
Can you give any guidance on this issue? Below are the files which were
returned by giving the above command:
find: /proc/6/fd: Permission denied
find: /proc/1726/fd/4: No such file or directory
/bin/su
/bin/login
/sbin/pwdb_chkpwd
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/rcp
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/ssh
/usr/local/bin/ssh1
/usr/local/majordomo/wrapper
/usr/local/frontpage/version4.0/apache-fp/_vti_bin/fpexe
/usr/sbin/cmos
/usr/sbin/sendmail
/usr/sbin/traceroute
/usr/libexec/pt_chown
/usr/cgiwrap/cgiwrap
/usr/cgiwrap/cgiwrapd
/usr/cgiwrap/nph-cgiwrap
/usr/cgiwrap/nph-cgiwrapd
Thanks for your support Dan!
enrique