While a MIPS box may not be subject to whatever the 'crack-of-the-day'
was that started this thread (I don't remember what it was), if Sun
support thinks MIPS processors are 'not susceptible to intrusions' then
I would recommend NOT contacting Sun support with security questions.
There are certainly quite a few MIPS rootkits etc. floating around on
the net and people with MIPS boxes do get cracked. While the script
kiddies do seem to prefer the most common OS/architecture combinations,
that in no way means you won't be cracked just because your server is
MIPS or Alpha or i8080 based.
Maybe it will only be twice a year that you get scanned by someone
with a script that knows what to do with a MIPS box instead of the twice
(or more) time a day that the Intel kiddies come by, but as many on this
list can attest to, it only takes one to ruin your day.
Frank
--On Monday, April 23, 2001 1:10 PM -0500 Bill Irwin <[EMAIL PROTECTED]> wrote:
>
> Glen,
>
> One thing I forgot to mention. All Mips processor products are not
> susceptible to intrusions like this. Sorry for the confusion and
> worries. If you have a MIPS processor (you can usually tell when you
> login on telnet) then you have no need to worry.
>
> Once again sorry for the confusion and worries.
>
> This is also why I would recommend contacting the Support team before
> taking drastic actions. You may find out it was unnecessary in the first
> place.
>
> Glen Scott wrote:
>>
>> At 10:42 23/04/01, you wrote:
>> > William,
>> >
>> > The one I listed below is one I would worry about.
>> >
>> > > ..5..... /bin/login <==== this looks bad.
>> >
>> > Normally you would have M5 or MD5....../bin/login instead of ....5....
>> > This means its been changed. This is VERY VERY bad. Login is one of the
>> > first things that an intruder will change. Its usually part of a rootkit
>> > designed to hide their intrusions and logons. They can be logged on
>> > while you are and you wouldn't even see them (that's if they do it
>> > correctly).
>>
>> I am getting this output on two Qube2's in our office- one which is not
>> even connected to the net. Can you confirm that this means our systems
>> have been compromised?
>>
>> [admin@ds2 admin]$ rpm -V util-linux
>> Unsatisfied dependencies for util-linux-2.7-5C4: /usr/bin/perl5
>> ..5..... /bin/login
>> .M5..... /usr/bin/chfn
>> .M5..... /usr/bin/chsh
>> .M5..... /usr/bin/newgrp
>> .M5..... /usr/bin/passwd
>> .M...... /usr/bin/write
>>
>> _______________________________________________
>> cobalt-security mailing list
>> [EMAIL PROTECTED]
>> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
> --
> Bill Irwin
> Technical Support Engineer
> Sun Microsystems, Inc.
> _______________________________________________
> cobalt-security mailing list
> [EMAIL PROTECTED]
> http://list.cobalt.com/mailman/listinfo/cobalt-security
--
Frank Smith [EMAIL PROTECTED]
Systems Administrator Voice: 512-374-4673
Hoover's Online Fax: 512-374-4501
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
