RE: [cobalt-security] A hacked box - an example

MikeM Tue, 24 Apr 2001 06:10:31 -0700

> Just want to show you a box that has been hacked into and what it looks
> like. [snip]
>
> A customer believed he was hacked and asked me to verify. Here's the
> results:
> [snip]
>


I ran those commands on my RaQ3, and here's what I got:

[admin@config /home]$ rpm -V procps
[admin@config /home]$ rpm -V fileutils
[admin@config /home]$ rpm -V net-tools
[admin@config /home]$ rpm -V util-linux
S.5....T c /etc/pam.d/chfn
S.5....T c /etc/pam.d/chsh
S.5....T c /etc/pam.d/login
..?.....   /usr/bin/chfn
..?.....   /usr/bin/chsh
.M?.....   /usr/bin/newgrp
.M......   /usr/bin/write
[admin@config /home]$ lsattr /bin/login
-------- /bin/login
[admin@config /home]$ ls /bin/login -l
-rwsr-xr-x   1 root     root        20164 Apr 17  1999 /bin/login



I'm especially curious about login, the MD5 and size are different, yet the
lsattr shows nothing.

Thanks.

Should I be concerned?  What does a clean box look like?


_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security

RE: [cobalt-security] A hacked box - an example

Reply via email to