[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Signs That Your System May Have Been Compromised

Subject: Re: [cobalt-users] Signs That Your System May Have Been Compromised
From: Rik Thomas <rikt@xxxxxxxxxxxxxxxx>
Date: Mon Aug 13 01:46:01 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Sun, 12 Aug 2001, enrique wrote:

>
> On Saturday, August 11, 2001, at 08:52 AM, Bradley Caricofe wrote:
>
> > I've got all the latest patches on my machine, if someone else has too
> > I'd
> > like to know how the intruders got in
> >
> > Brad
>
> Brad, I was not totally up to date when the hacker got in. As far as
> knowing how, well since I'm not an "expert", I don't know exactly how
> they got in.  The hacker named "The Dwarf" did get into one of the
> virtual sites and modified the index.html file to brag about their break
> in. I noticed in the logs that they had executed a remote command with
> "echo ..." which makes me believe that they used http somehow. They also
> deleted a .htaccess file, but I don't know which one. I thought that
> maybe each virtual site has an .htaccess file automatically generated by
> the cobalt gui, but I haven't found anything to indicate that this is so.
>
> Anyway, I would still like to know if anyone else may have gotten
> similar results to the command "find / -user root -perm -4000 -print."
> The results I got concern me, but I've been unable to get any response
> as to the seriousness of the potential compromise.
>
> find: /proc/6/fd: Permission denied
> find: /proc/1726/fd/4: No such file or directory
> /bin/su
> /bin/login
> /sbin/pwdb_chkpwd
> /usr/bin/chage
> /usr/bin/gpasswd
> /usr/bin/passwd
> /usr/bin/procmail
> /usr/bin/rcp
> /usr/bin/rlogin
> /usr/bin/rsh
> /usr/bin/chfn
> /usr/bin/chsh
> /usr/bin/crontab
> /usr/bin/ssh
> /usr/local/bin/ssh1
> /usr/local/majordomo/wrapper
> /usr/local/frontpage/version4.0/apache-fp/_vti_bin/fpexe
> /usr/sbin/cmos
> /usr/sbin/sendmail
> /usr/sbin/traceroute
> /usr/libexec/pt_chown
> /usr/cgiwrap/cgiwrap
> /usr/cgiwrap/cgiwrapd
> /usr/cgiwrap/nph-cgiwrap
> /usr/cgiwrap/nph-cgiwrapd
>
> I have not run all the tests described to check the system, but since I
> got the results above, I thought I would ask and see if I could learn a
> little more before I go too far.
>
> Thank you for your support!
>
> enrique

I ran the above command on a cobalt that was brand new straight out of the
box with recent patches and received the same result.


-- 
Rik Thomas
rikt@xxxxxxxxxxxxxxxx http://SmartBackups.com
Is your Website Smart? Automated Website backups.  Free 30Day trial!
Ph: 302.672.7314 Fx: 302.672.7315 ICQ: 879956

Follow-Ups:
- Re: [cobalt-users] Signs That Your System May Have Been Compromised
  - From: Kevin D
- Re: [cobalt-users] Signs That Your System May Have Been Compromised
  - From: enrique

References:
- Re: [cobalt-users] Signs That Your System May Have Been Compromised
  - From: enrique

Prev by Date: Re: [cobalt-users] Raq 2 Time
Next by Date: [cobalt-users] removing host name on sender address sent from webmail (XTR)
Previous by thread: Re: [cobalt-users] Signs That Your System May Have Been Compromised
Next by thread: Re: [cobalt-users] Signs That Your System May Have Been Compromised

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index