[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?

Subject: Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?
From: "Roy Urick" <lists@xxxxxxxxxxxxxxxx>
Date: Mon Oct 21 03:08:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Either you have been rooted, or just havent installed a patch of some kind.
;)

I was following the thread, and my ls results are identical to Nucharin, and
yet has the same MD5 as yours.

Considering my box sits behind a pretty robust (and tight) firewall and IDS
box, I doubt I (we) have been rooted. I am not ruling it out, but its not
very likely. At least not based on the file size of ls.

Anyway, my washing machine is being rotated out of service next week(21 days
till the spin/rinse cycle. ), so if it is, no biggie. It gets reformatted
before being re-deployed.







----- Original Message -----
From: "Fragga" <fragga@xxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Monday, October 21, 2002 3:22 AM
Subject: Re: [cobalt-users] RAQ4 Some system files change ex: ls, top,
netstat, login What's wrong ?


> also just noticed -
>
> [root /bin]# ls -la | grep ls
> -rwxr-xr-x   1 root     root         5016 May 30  2000 false
> -rwxr-xr-x   1 root     root        50148 Sep  9  1999 ls
>
> see ls is only 50 KB ish yours is over 100Kb definately looks like a
rooted
> box.
>
> also you could also manually check the MD5 checksums with
>
> [root bin]# md5sum /bin/ls /bin/netstat /bin/ps /bin/login /sbin/syslogd
> /usr/bin/du /usr/bin/killall /usr/bin/pstree /usr/bin/top
> f482ae701e46005a358a01c139f1ae74  /bin/ls
> eaa285a23a1715ce1c59998761538721  /bin/netstat
> 5e1725f2734365fef9e55398785f3033  /bin/ps
> a6b700aeabfb87115b3cc1a47a5a19e1  /bin/login
> 5b0e9951a07a0b232f083a78e7fcf668  /sbin/syslogd
> 5b1e21c2ec8de4676d296df4aee68dbb  /usr/bin/du
> 65853ea831ee24aa8ce6718e916a6e17  /usr/bin/killall
> db8be064ac078021b8dafba1510994ab  /usr/bin/pstree
> 48fbbb48204825866ab3089c2db96e87  /usr/bin/top
>
> they should match these....  as long as i havent been rooted ;)
>
> fragga
>
> ----- Original Message -----
> From: "Fragga" <fragga@xxxxxxxxxxxx>
> To: <cobalt-users@xxxxxxxxxxxxxxx>
> Sent: Monday, October 21, 2002 3:09 AM
> Subject: Re: [cobalt-users] RAQ4 Some system files change ex: ls, top,
> netstat, login What's wrong ?
>
>
> > Hi,
> >
> > if you havent performed a restore i would say that looked like a
possible
> > rootkit using modified binarys.
> > download and run ( as root ) a root kit checker from
> > http://www.chkrootkit.org/ to check for one.
> > looks grim though. was this this box fully patched and do you allow any
> > users shell accounts ?
> >
> > fragga
> >
> > ----- Original Message -----
> > From: "Nucharin Jansen" <nucharin@xxxxxxxxxxx>
> > To: <cobalt-users@xxxxxxxxxxxxxxx>
> > Sent: Monday, October 21, 2002 12:56 AM
> > Subject: [cobalt-users] RAQ4 Some system files change ex: ls, top,
> netstat,
> > login What's wrong ?
> >
> >
> > >
> > > Hello,
> > >
> > > I couldn't access website at 18 - 20th.
> > > I request to reboot the RAQ4.
> > > When NOC reboot at 20th, I can't SSH.
> > > So, I enable  and use telnet to check.
> > > I found that many system files was replace by new one.
> > > ex:
> > >
> > >  /bin
> > > -rwxr-xr-x   1 root     root       184023 Oct 18 22:03 ls
> > > -rwxr-xr-x   1 root     root       258612 Oct 18 22:03 netstat
> > > -rwxr-xr-x   1 root     root        47388 Oct 18 22:03 ps
> > > -rwxr-xr-x   1 root     root        43336 Oct 18 22:03 login
> > >
> > > /sbin
> > > -rwxr-xr-x   1 root     root        28696 Oct 18 22:03 syslogd
> > >
> > > /usr/bin
> > > -rwxr-xr-x   1 root     root       117311 Oct 18 22:03 du
> > > -rwxr-xr-x   1 root     root        22459 Oct 18 22:03 killall
> > > -rwxr-xr-x   1 root     root        24147 Oct 18 22:03 pstree
> > > -rwxr-xr-x   1 root     root        68692 Oct 18 22:03 top
> > >
> > > I never ever install anything before.
> > > I asked the NOC sys engineer there.  they never touch my bluebox.
> > > Do you have any suggestion ?
> > > It is automatic restore or hacking ?
> > > I can't use "ps -efw" to list all processes too.
> > >
> > > Thank
> > > Nucharin J.
> > >
> > > _____________________________________
> > > cobalt-users mailing list
> > > cobalt-users@xxxxxxxxxxxxxxx
> > > To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> > > http://list.cobalt.com/mailman/listinfo/cobalt-users
> > >
> >
>
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>

Follow-Ups:
- Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?
  - From: Fragga

References:
- Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?
  - From: Fragga

Prev by Date: Re: [cobalt-users] FTP stop working
Next by Date: Re: [cobalt-users] FTP stop working
Previous by thread: Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?
Next by thread: Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index