[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Raq4r - compromised?
- Subject: [cobalt-users] Raq4r - compromised?
- From: "Liam Delahunty" <mail@xxxxxxxxxxxxxxxxx>
- Date: Sun Feb 3 06:48:36 2002
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
I saw the following on the sun site
http://cobalt-knowledge.sun.com/cgi-bin/kbase.cfg/php/enduser/std_adp.php?p_
sid=sCBRGR6g&p_lva=&p_refno=011221-000001&p_created=1008950245&p_sp=cF9ncmlk
c29ydD0mcF9yb3dfY250PTExJnBfc2VhcmNoX3RleHQ9ZHJvcCBkb3duIGF0dGFjayZwX3NlYXJj
aF90eXBlPTMmcF9wcm9kX2x2bDE9fmFueX4mcF9wcm9kX2x2bDI9fmFueX4mcF9jYXRfbHZsMT1_
YW55fiZwX2NhdF9sdmwyPX5hbnl_JnBfc29ydF9ieT1kZmx0JnBfcGFnZT0x&p_li=
<sun>
What you should try is checking the binaries for an indication of a hack.
Although it is not 100% accurate. You can be resonably (sic) sure that the
server has been hacked if any of the following produces output.
Telnet to the server as admin and su - to root. Type these commands:
rpm -V procps
rpm -V fileutils
rpm -V net-tools
rpm -V util-linux
NOTE:util-linux will complain about:
S.5....T c /etc/pam.d/chfn
S.5....T c /etc/pam.d/chsh
S.5....T c /etc/pam.d/login
M...... /usr/bin/newgrp
M...... /usr/bin/write
If any other output should occur, such as issues with /bin or /usr/bin, our
advice is to perform an OS restore to assure the security of your server. Be
sure the restore files does not contain the hack. Please consult wth a
security expert if an OS Restore is not an option."
</sun>
So tried it and saw...
[root admin]# rpm -V procps
[root admin]# rpm -V fileutils
[root admin]# rpm -V net-tools
[root admin]# rpm -V util-linux
.M...... /usr/bin/newgrp
.M...... /usr/bin/write
So as I DIDN'T get the "S.5..."etc bit's is there be an intrusion problem?
Is everything okay? What does the output mean?
Kind regards,
Liam