Re: [cobalt-users] Signs That Your System May Have Been Compromised

[enrique <enriquevega@xxxxxxx>]

On Monday, August 13, 2001, at 12:29 PM, Rik Thomas wrote:

> > Anyway, I would still like to know if anyone else may have gotten
> > similar results to the command "find / -user root -perm -4000 -print."
> > The results I got concern me, but I've been unable to get any response
> > as to the seriousness of the potential compromise.
> >
> > find: /proc/6/fd: Permission denied
> > find: /proc/1726/fd/4: No such file or directory
> > /bin/su
> > /bin/login
> > /sbin/pwdb_chkpwd
> > /usr/bin/chage
> > /usr/bin/gpasswd
> > /usr/bin/passwd
> > /usr/bin/procmail
> > /usr/bin/rcp
> > /usr/bin/rlogin
> > /usr/bin/rsh
> > /usr/bin/chfn
> > /usr/bin/chsh
> > /usr/bin/crontab
> > /usr/bin/ssh
> > /usr/local/bin/ssh1
> > /usr/local/majordomo/wrapper
> > /usr/local/frontpage/version4.0/apache-fp/_vti_bin/fpexe
> > /usr/sbin/cmos
> > /usr/sbin/sendmail
> > /usr/sbin/traceroute
> > /usr/libexec/pt_chown
> > /usr/cgiwrap/cgiwrap
> > /usr/cgiwrap/cgiwrapd
> > /usr/cgiwrap/nph-cgiwrap
> > /usr/cgiwrap/nph-cgiwrapd
>
> I ran the above command on a cobalt that was brand new straight out of 
> the
> box with recent patches and received the same result.

Rik,

You've made me a happy man! Confused, but happy ;-)

Now, I wonder why on earth would the permissions be set as they are on a 
new RaQ3 as stated? I'm also wondering if this is something which could 
compromise the security of the RaQ? If these permissions are set by 
default on new machines, and they are a security problem, shouldn't 
Cobalt/Sun be responding to this message?

enrique