RE: [cobalt-users] Signs That Your System May Have Been Compromised

["Andy Brown" <andy.brown@xxxxxxxxxxxxx>]

Here is the list that our Raq3 throws out:

/bin/su
/bin/login
/sbin/pwdb_chkpwd
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/rcp
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/crontab
/usr/local/majordomo/wrapper
/usr/local/frontpage/version4.0/apache-fp/_vti_bin/fpexe
/usr/sbin/cmos
/usr/sbin/sendmail
/usr/sbin/traceroute
/usr/libexec/pt_chown
/usr/knox/bin/nlservd
/usr/knox/bin/rnavc
/usr/cgiwrap/cgiwrap
/usr/cgiwrap/cgiwrapd
/usr/cgiwrap/nph-cgiwrap
/usr/cgiwrap/nph-cgiwrapd


They appear standard, and as such I don't worry as per Dean's posting,
they have to have these permissions to allow various system functions to
be carried out by users.




Andy Brown

InterV8 Ltd
http://www.interv8.co.uk
 

-----Original Message-----
From: enrique [mailto:enriquevega@xxxxxxx]
Sent: 16 August 2001 9:55 AM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] Signs That Your System May Have Been
Compromised



On Wednesday, August 15, 2001, at 05:18 PM, Dean Hall wrote:

> Who says these settings are a security problem?

Dean, I am the original poster. Here is some of the original post:

http://www.cert.org/tech_tips/intruder_detection_checklist.html#intro

I started reading and following the checks, and ended up stumped after 
the first check. Seems I have some files which have an incorrect set of 
permissions. The following files have -rwsr-xr-x set. Could someone on a

RaQ3 enter the command "find / -user root -perm -4000 -print" and tell 
me if you are getting the same output? If these files have incorrect 
permissions, then what should the command be to change them to the 
correct permission?

Thank you for your feedback!

enrique

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users