[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?
- Subject: Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?
- From: "Fragga" <fragga@xxxxxxxxxxxx>
- Date: Mon Oct 21 01:27:01 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
also just noticed -
[root /bin]# ls -la | grep ls
-rwxr-xr-x 1 root root 5016 May 30 2000 false
-rwxr-xr-x 1 root root 50148 Sep 9 1999 ls
see ls is only 50 KB ish yours is over 100Kb definately looks like a rooted
box.
also you could also manually check the MD5 checksums with
[root bin]# md5sum /bin/ls /bin/netstat /bin/ps /bin/login /sbin/syslogd
/usr/bin/du /usr/bin/killall /usr/bin/pstree /usr/bin/top
f482ae701e46005a358a01c139f1ae74 /bin/ls
eaa285a23a1715ce1c59998761538721 /bin/netstat
5e1725f2734365fef9e55398785f3033 /bin/ps
a6b700aeabfb87115b3cc1a47a5a19e1 /bin/login
5b0e9951a07a0b232f083a78e7fcf668 /sbin/syslogd
5b1e21c2ec8de4676d296df4aee68dbb /usr/bin/du
65853ea831ee24aa8ce6718e916a6e17 /usr/bin/killall
db8be064ac078021b8dafba1510994ab /usr/bin/pstree
48fbbb48204825866ab3089c2db96e87 /usr/bin/top
they should match these.... as long as i havent been rooted ;)
fragga
----- Original Message -----
From: "Fragga" <fragga@xxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Monday, October 21, 2002 3:09 AM
Subject: Re: [cobalt-users] RAQ4 Some system files change ex: ls, top,
netstat, login What's wrong ?
> Hi,
>
> if you havent performed a restore i would say that looked like a possible
> rootkit using modified binarys.
> download and run ( as root ) a root kit checker from
> http://www.chkrootkit.org/ to check for one.
> looks grim though. was this this box fully patched and do you allow any
> users shell accounts ?
>
> fragga
>
> ----- Original Message -----
> From: "Nucharin Jansen" <nucharin@xxxxxxxxxxx>
> To: <cobalt-users@xxxxxxxxxxxxxxx>
> Sent: Monday, October 21, 2002 12:56 AM
> Subject: [cobalt-users] RAQ4 Some system files change ex: ls, top,
netstat,
> login What's wrong ?
>
>
> >
> > Hello,
> >
> > I couldn't access website at 18 - 20th.
> > I request to reboot the RAQ4.
> > When NOC reboot at 20th, I can't SSH.
> > So, I enable and use telnet to check.
> > I found that many system files was replace by new one.
> > ex:
> >
> > /bin
> > -rwxr-xr-x 1 root root 184023 Oct 18 22:03 ls
> > -rwxr-xr-x 1 root root 258612 Oct 18 22:03 netstat
> > -rwxr-xr-x 1 root root 47388 Oct 18 22:03 ps
> > -rwxr-xr-x 1 root root 43336 Oct 18 22:03 login
> >
> > /sbin
> > -rwxr-xr-x 1 root root 28696 Oct 18 22:03 syslogd
> >
> > /usr/bin
> > -rwxr-xr-x 1 root root 117311 Oct 18 22:03 du
> > -rwxr-xr-x 1 root root 22459 Oct 18 22:03 killall
> > -rwxr-xr-x 1 root root 24147 Oct 18 22:03 pstree
> > -rwxr-xr-x 1 root root 68692 Oct 18 22:03 top
> >
> > I never ever install anything before.
> > I asked the NOC sys engineer there. they never touch my bluebox.
> > Do you have any suggestion ?
> > It is automatic restore or hacking ?
> > I can't use "ps -efw" to list all processes too.
> >
> > Thank
> > Nucharin J.
> >
> > _____________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
>