> Although it is not 100% accurate (tell this to the customer), one can be
> resonably sure that the
> server has been hacked if any of the following produces output:
>
> rpm -V procps
> rpm -V fileutils
> rpm -V net-tools
> rpm -V util-linux
> ...any questions, run these on our servers.
>
> NOTE: util-linux will complain about:
> S.5....T c /etc/pam.d/chfn
> S.5....T c /etc/pam.d/chsh
> S.5....T c /etc/pam.d/login
> .M...... /usr/bin/newgrp
> .M...... /usr/bin/write
> These are OK...they should not be different, but they DO NOT show
> that
> you've been hacked.
OK, I tried this, and the last one, rpm -V util-linux gives the
following:
S.5....T c /etc/pam.d/chfn
S.5....T c /etc/pam.d/chsh
S.5....T c /etc/pam.d/login
..?..... /usr/bin/chfn
..?..... /usr/bin/chsh
.M?..... /usr/bin/newgrp
.M...... /usr/bin/write
Are the /usr/bin/chfn and /usr/bin/chsh lines a problem? I've found a
few references to bugs in these programs from a few years ago.
-Scott
--------------------------------
Scott Genevish
Training Systems Project Manager
Kinko's, Inc
(805) 477-5307
--------------------------------
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
