Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?

["Fragga" <fragga@xxxxxxxxxxxx>]

Hi,

if you havent performed a restore i would say that looked like a possible
rootkit using modified binarys.
download and run ( as root ) a root kit checker from
http://www.chkrootkit.org/ to check for one.
looks grim though. was this this box fully patched and do you allow any
users shell accounts ?

fragga

----- Original Message -----
From: "Nucharin Jansen" <nucharin@xxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Monday, October 21, 2002 12:56 AM
Subject: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat,
login What's wrong ?


>
> Hello,
>
> I couldn't access website at 18 - 20th.
> I request to reboot the RAQ4.
> When NOC reboot at 20th, I can't SSH.
> So, I enable  and use telnet to check.
> I found that many system files was replace by new one.
> ex:
>
>  /bin
> -rwxr-xr-x   1 root     root       184023 Oct 18 22:03 ls
> -rwxr-xr-x   1 root     root       258612 Oct 18 22:03 netstat
> -rwxr-xr-x   1 root     root        47388 Oct 18 22:03 ps
> -rwxr-xr-x   1 root     root        43336 Oct 18 22:03 login
>
> /sbin
> -rwxr-xr-x   1 root     root        28696 Oct 18 22:03 syslogd
>
> /usr/bin
> -rwxr-xr-x   1 root     root       117311 Oct 18 22:03 du
> -rwxr-xr-x   1 root     root        22459 Oct 18 22:03 killall
> -rwxr-xr-x   1 root     root        24147 Oct 18 22:03 pstree
> -rwxr-xr-x   1 root     root        68692 Oct 18 22:03 top
>
> I never ever install anything before.
> I asked the NOC sys engineer there.  they never touch my bluebox.
> Do you have any suggestion ?
> It is automatic restore or hacking ?
> I can't use "ps -efw" to list all processes too.
>
> Thank
> Nucharin J.
>
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>