RE: [cobalt-users] Signs That Your System May Have Been Compromised

["Dean Hall" <dean@xxxxxxxxxx>]

Who says these settings are a security problem?
See below.

> >> Anyway, I would still like to know if anyone else may have gotten 
> >> similar results to the command "find / -user root -perm -4000 
> >> -print." The results I got concern me, but I've been unable to get 
> >> any response as to the seriousness of the potential compromise.
> >>
> >> find: /proc/6/fd: Permission denied
> >> find: /proc/1726/fd/4: No such file or directory
> >> /bin/su
> >> /bin/login
> >> /sbin/pwdb_chkpwd
> >> /usr/bin/chage
> >> /usr/bin/gpasswd
...
...
> >> /usr/cgiwrap/cgiwrapd
> >> /usr/cgiwrap/nph-cgiwrap
> >> /usr/cgiwrap/nph-cgiwrapd
> >
> > I ran the above command on a cobalt that was brand new 
> straight out of
> > the
> > box with recent patches and received the same result.
> 
> Rik,
> 
> You've made me a happy man! Confused, but happy ;-)
> 
> Now, I wonder why on earth would the permissions be set as 
> they are on a 
> new RaQ3 as stated? I'm also wondering if this is something 
> which could 
> compromise the security of the RaQ? If these permissions are set by 
> default on new machines, and they are a security problem, shouldn't 
> Cobalt/Sun be responding to this message?

These are normal and necessary.

I don't have the original posting, but it seems that the 
original poster was looking for signs that a compromise
has occurred.  Just because a file has suid root, doesn't mean
it is bad.  For instance, the /usr/bin/passwd command must
be suid root, else a user couldn't change their own 
password (couldn't write changed password into /etc/shadow).

The object of looking for the suid root files is to look for 
new ones that don't belong and could have been added by a
hacker/cracker.

  
---- 
Dean Hall at Tactix ReEngineering ( dean@xxxxxxxxxx ) 
503 520-9699  http://www.tactix.com 
>