[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] chkrootkit output show possible ambient
- Subject: Re: [cobalt-users] chkrootkit output show possible ambient
- From: Richard Siddall <cobalt@xxxxxxxxxxx>
- Date: Wed Nov 20 09:04:01 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
"alan@" wrote:
>
> Hi again,
>
> I have checked out the filestamps on traceroute and netstat and they both
> have the same stamp as every other (un-updated) file on the server, ie June
> 20 2000, so I think they are probably ok.
>
It's easy to fake timestamps. You'd be better off comparing the size
and MD5 sum against a known good copy.
> I am going to check out what the ARK actually does and how, before I go
> panicking, as I said, "somebody" changed the admin password, but there is no
> guarantee that it was a hacker. This is the problem when coming late to a
> project, every body denies everything.
> This server has however got all the patches installed (I just installed the
> last 2 myself) and it has ssh 3.1 and telnet is turned off.
>
Sounds good. If you're willing to do the research and the hacker
wasn't too smart, you may be able to recover the box.
Your copy of SSH may be your problem. The current version on
OpenSSH.org
is 3.5, and on Pkgmaster.com is 3.4.
> I will be installing ip chains etc but I want to make sure there isn't a
> back door first.
>
> Thanks
>
Good luck.
> Alan
>
Richard.