[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Cobalt system security - compromized???

Subject: RE: [cobalt-users] Cobalt system security - compromized???
From: aljuhani <aljuhani@xxxxxxxxx>
Date: Mon Mar 10 10:20:02 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Hello Milen,

The files you listed belongs to some file management utilities used by linux 
GNU.  I do not know if it is part of the Cobalt's Standard Softwares.  See 
this link for more info:

http://www.megaloman.com/~hany/RPM/doors2.2/jr/fileutils-4.0-11.i386.html.

Trojans are always attached to binary files.  In windows (*.exe) files and not 
any other file types.  In linux binary files are located under /bin or 
/usr/bin.
In Windows System, if a Trojan file is attached to an exe file such as 
(notepad.exe) you will notice that the file size is increased.  In linux file 
length "size" is determined by what is called md5 checksum, that is why people 
check the md5sum before installing any package or RPM to know if part of that 
package is lost during download (packet loss) or if it is patched with a 
Trojan.

RPM checks the length of the Binary Files and if it gives a value 5 such as 
below, it means that binary is trojaned, damaged, edited, or overwritten:

S.5....T /usr/sbin/luseradd 
S.5....T /usr/sbin/luserdel

to check your Binaries you will need to issue:

RPM -Va

the:

V: is for Verify
a: means for all packages.

You can setup a cron job that runs hourly, daily or whatever freqency you want 
and email you only the result if some files are failing the md5cheksum as 
below:

rpm -Va |grep 5 |grep \/bin | mail -s "rpm report" youremail@xxxxxxxxxxxxxx

Hope this Helps.

Al-Juhani
aljuhani@xxxxxxxxx


>===== Original Message From cobalt-users@xxxxxxxxxxxxxxx =====
>Hi,
>In Cabalt knowledge base I found article about the security
>ref. No: 011221-000001 - "Checking for a system attack"
>I checked my system as recomended and here are the results:
>--------------------------------------------------------------
>[root /root]# rpm -V procps
>[root /root]# rpm -V net-tools
>[root /root]# rpm -V fileutils
>.M......   /usr/share/locale/de/LC_MESSAGES/fileutils.mo
>.M......   /usr/share/locale/es/LC_MESSAGES/fileutils.mo
>.M......   /usr/share/locale/fr/LC_MESSAGES/fileutils.mo
>.M......   /usr/share/locale/ja/LC_MESSAGES/fileutils.mo
>.M......   /usr/share/locale/zh/LC_MESSAGES/fileutils.mo
>[root /root]# rpm -V util-linux
>.M......   /usr/share/locale/de/LC_MESSAGES/util-linux.mo
>.M......   /usr/share/locale/fr/LC_MESSAGES/util-linux.mo
>.M......   /usr/share/locale/ja/LC_MESSAGES/util-linux.mo
>[root /root]#
>--------------------------------------------------------------
>Does it mean that my system's security was compromized?
>We have Cabaul Cube 3
>
>Milen

Prev by Date: [cobalt-users] "Mirroring" e-mail to another user of same domain
Next by Date: [cobalt-users] Hacked Server Update
Previous by thread: [cobalt-users] Cobalt system security - compromized???
Next by thread: [cobalt-users] Cobalt 3 as PDC and "os level"=1

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index