[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] root password stored in plain-text?
- Subject: Re: [cobalt-users] root password stored in plain-text?
- From: "Dave~" <cobaltraq4@xxxxxxx>
- Date: Thu Sep 26 12:02:58 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
----- Original Message -----
Subject: Re: [cobalt-users] root password stored in plain-text?
> Unfortunately that looks like a common "0wn3d" fingerprint. For some reason
> root kits like to put things in /usr/man/man1 - but generally use things
> like spaces before names to hide the directories.
>
> They generally run perl sniffers which pick out usernames and passwords -
> appending these to files like the one you have described.
>
> This is not to say you have definitely been "r00t3d" (although it does look
> bad :(
>
> Download and run the chkrootkit tool to check your system - you should
> probably do this anyway with the slapper worm doing the rounds.
Going to google and putting in /usr/man/man1/version.1.gz as the search string
reveals that openssl-0.9.5a will cause this:
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=/usr/man/man1/version.1
.gz&btnG=Google+Search
>
> ALSO,
>
> I would post this on the security list - you will get more security related
> feedback than this one.
>
> > My Raq4 reports:
> >
> > [root man1]# cat /usr/man/man1/version.1.gz
> > cat: /usr/man/man1/version.1.gz: No such file or directory
> > [root man1]#
> >
> > So unzip the file and look at it- maybe it will tell you something.
Sorry forgot about the hand-holding that needs to be done here. I ASSuMEd
that if a system admin saw that this was not on a Raq4 it would get the ball
rolling like:
What is the date of the file?
What's in the file?
What are the permissions?
What changes have been made recently?
What does the user archive say about it?
What does google say about it?
etc...
As seen above, there are instances that will create this file- having
openssl-0.9.5a installed. So now:
Which openssl do I have installed?
Is it safe to delete this file?
What does chkrootkit say?
etc...
It seemed like a better answer (although I should've spelled it out better)
than one that increased his worry level by saying, "yes- it does LOOK like
you've been 0wned but maybe not..."
Dave~