[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?
- Subject: Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?
- From: "Roy Urick" <lists@xxxxxxxxxxxxxxxx>
- Date: Mon Oct 21 09:24:01 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
----- Original Message -----
From: "Fragga" <fragga@xxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Monday, October 21, 2002 7:50 AM
Subject: Re: [cobalt-users] RAQ4 Some system files change ex: ls, top,
netstat, login What's wrong ?
> Roy,
>
> quote "
>
> > Either you have been rooted, or just havent installed a patch of some
> kind.
> > ;)
>
> "
> and what patches are they ? i didnt realise there were patches out for
> netstat, ps, ls, etc etc.
I have (unfortunately) almost every patch that has been released on that
box, including the SHP.
Except for chkrootkit (which comes up clean on my box), everything I have
was a standard pkg.
I was referring to maybe you didnt apply the SHP or another one that would
have updated those particular files.
>
> as far as i know i have installed all the patches which are available for
a
> raq4. therefore im puzzled as to how you have deduced ive been cracked ?
>
> below is a copy of the same files Nucharin provided from my raq and their
> attributes
>
> [root /bin]# ls -la ls netstat ps login
> -rwxr-xr-x 1 root root 21672 Jun 20 2000 login
> -rwxr-xr-x 1 root root 50148 Sep 9 1999 ls
> -rwxr-xr-x 1 root root 80632 Jun 14 2000 netstat
> -r-xr-xr-x 1 root root 60080 Mar 7 2000 ps
> [root /bin]# cd /usr/bin
> [root bin]# ls -la du killall pstree top
> -rwxr-xr-x 1 root root 21716 Sep 9 1999 du
> -rwxr-xr-x 1 root root 10160 Feb 5 2000 killall
> -rwxr-xr-x 1 root root 11376 Feb 5 2000 pstree
> -r-xr-xr-x 1 root root 34896 Mar 7 2000 top
> [root bin]# cd /sbin
> [root /sbin]# ls -la syslogd
> -rwxr-xr-x 1 root root 27112 Sep 27 2000 syslogd
>
> ive checked this with another couple of raq 4s and they all match up the
> same. Could someone else whos got a raq 4 display the output from their
> machine ?
>
> id say its about a 99.9% chance that Nucharin has been rooted so im
puzzled
> as to why you think he hasnt been and that I have instead ! hehe.
I wasnt implying that Nucharin wasnt and you were. I am sorry, I probably
wasnt completly clear. I meant that we cant say he is just based on the size
of ls changing. Unless making a change to ls somehow wont affect the MD5.
I simply meant that I got the same output that Nucharin did, and yet I still
checksum'd the same as you. Assuming we were both rooted (since we had the
same output), then since you have the same checksum it would make sense you
were too. Or am I way off in left feild? If so, no surprises there. ;)
Unless we have both been rooted, and somehow he managed to alter my
chkrootkit so that it ignores his kit, I THINK we are both ok. My system
still scans clean, just different file sizes for some reason.
Anyone????
>
> fragga
>
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>