[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?

Subject: Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?
From: "Fragga" <fragga@xxxxxxxxxxxx>
Date: Mon Oct 21 10:03:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Roy, ok no worries I know what u mean now and where you were coming from.

ive just read a small bit about MD5 Checksums and

briefly scanning http://www.ietf.org/rfc/rfc1321.txt is a little bit too
much with a headache

but but i did find this......

http://www.linuxplanet.com/linuxplanet/tutorials/4342/2/

after scanning it, it appears that its possible to tamper with the MD5
Checksum but it appears to be based on how many bits there are in something
therefore ive lost it as to why you have the same checksum as me as no doubt
u have some extra data inside that "ls". Is it the MD5 the one from the
original vendor of "ls"?

can anyone clear this up ?

thanks

fragga


----- Original Message -----
From: "Roy Urick" <lists@xxxxxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Monday, October 21, 2002 11:23 AM
Subject: Re: [cobalt-users] RAQ4 Some system files change ex: ls, top,
netstat, login What's wrong ?


>
> ----- Original Message -----
> From: "Fragga" <fragga@xxxxxxxxxxxx>
> To: <cobalt-users@xxxxxxxxxxxxxxx>
> Sent: Monday, October 21, 2002 7:50 AM
> Subject: Re: [cobalt-users] RAQ4 Some system files change ex: ls, top,
> netstat, login What's wrong ?
>
>
> > Roy,
> >
> > quote "
> >
> > > Either you have been rooted, or just havent installed a patch of some
> > kind.
> > > ;)
> >
> > "
> > and what patches are they ? i didnt realise there were patches out for
> > netstat, ps, ls, etc etc.
>
> I have (unfortunately) almost every patch that has been released on that
> box, including the SHP.
>
> Except for chkrootkit (which comes up clean on my box), everything I have
> was a standard pkg.
>
> I was referring to maybe you didnt apply the SHP or another one that would
> have updated those particular files.
>
> >
> > as far as i know i have installed all the patches which are available
for
> a
> > raq4. therefore im puzzled as to how you have deduced ive been cracked ?
> >
> > below is a copy of the same files Nucharin provided from my raq and
their
> > attributes
> >
> > [root /bin]# ls -la ls netstat ps login
> > -rwxr-xr-x   1 root     root        21672 Jun 20  2000 login
> > -rwxr-xr-x   1 root     root        50148 Sep  9  1999 ls
> > -rwxr-xr-x   1 root     root        80632 Jun 14  2000 netstat
> > -r-xr-xr-x   1 root     root        60080 Mar  7  2000 ps
> > [root /bin]# cd /usr/bin
> > [root bin]# ls -la du killall pstree top
> > -rwxr-xr-x   1 root     root        21716 Sep  9  1999 du
> > -rwxr-xr-x   1 root     root        10160 Feb  5  2000 killall
> > -rwxr-xr-x   1 root     root        11376 Feb  5  2000 pstree
> > -r-xr-xr-x   1 root     root        34896 Mar  7  2000 top
> > [root bin]# cd /sbin
> > [root /sbin]# ls -la syslogd
> > -rwxr-xr-x   1 root     root        27112 Sep 27  2000 syslogd
> >
> > ive checked this with another couple of raq 4s and they all match up the
> > same. Could someone else whos got a raq 4 display the output from their
> > machine ?
> >
> > id say its about a 99.9% chance that Nucharin has been rooted so im
> puzzled
> > as to why you think he hasnt been and that I have instead ! hehe.
>
> I wasnt implying that Nucharin wasnt and you were. I am sorry, I probably
> wasnt completly clear. I meant that we cant say he is just based on the
size
> of ls changing. Unless making a change to ls somehow wont affect the MD5.
>
> I simply meant that I got the same output that Nucharin did, and yet I
still
> checksum'd the same as you. Assuming we were both rooted (since we had the
> same output), then since you have the same checksum it would make sense
you
> were too. Or am I way off in left feild? If so, no surprises there. ;)
>
> Unless we have both been rooted, and somehow he managed to alter my
> chkrootkit so that it ignores his kit, I THINK we are both ok. My system
> still scans clean,  just different file sizes for some reason.
>
> Anyone????
> >
> > fragga
> >
> > _____________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
>

References:
- Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?
  - From: Fragga
- Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?
  - From: Roy Urick
- Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?
  - From: Fragga
- Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?
  - From: Roy Urick

Prev by Date: Re: [cobalt-users] RAQ2 chkrootkit - passwd INFECTED
Next by Date: Re: [cobalt-users] Raq4i OS-Restore CD on a Raq3i ?
Previous by thread: Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?
Next by thread: Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index