[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] AdmR & AdmQ Users
- Subject: Re: [cobalt-users] AdmR & AdmQ Users
- From: Kevin Bonner <keb@xxxxxx>
- Date: Wed Mar 5 14:47:01 2003
- Organization: CTI Networks
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
On Wednesday 05 March 2003 16:08, Santiago Montalvan wrote:
> I show the following users:
>
> admR:x:0:0:Qube3 Server Administrator:/home/admR:/bin/bash
> admQ:x:583:583:Qube3 Server Administrator:/home/admQ:/bin/bash
>
> admQ:x:583:583::/home/admQ:/bin/bash
> admR:x:584:584::/home/admR:/bin/bash
>
> Is this normal? We have a Qube3 Pro at work.
This isn't normal. The 0:0 means that user has root-level access, or
Administrator access (for all you windows folk). An entry like the one above
usually means your box was rooted, or hacked. There could be any number of
ways a hacker could gain root, but the (usually) hard part is discovering
what the hacker has done to your system. I would run chkrootkit to see if
there are any of those lovely rootkit nightmares installed on your box...my
guess is yes, but finding out which rootkit is the fun part, fixing it is the
PITA part.
Another step would be to make sure that the system has applied all of the
patches released. Note that patching the system won't fix the things a
hacker has done, it just repairs the hole which was exploited. To fix the
things modified by a hacker, I would suggest searching through the system to
try and find what files were modified, then repairing those files OR
replacing the Qube3 Pro. Recently, I have done the latter, but the box I was
replacing was a RaQ4. Basically I obtained the new raq4, patched it,
configured it, copied the data over using CMU, then pulled the old and
dropped in the new.
Good luck with whatever action you choose to do,
Kevin