On Wednesday, June 6, 2001, at 08:06 AM, Kevin D wrote:
> My baseline checker reports no more modified files, and I've
> portscanned all
> IPs on the raq, so it looks like the box is clean, which of course
> surprises
> me.
Bear in mind that this doesn't mean much in reality... There are often
timed backdoors that launch as either a cron job (crontab -l to check
for these) or as an at job... File modification times can be adjusted
using touch, and inode times can be changed with more sophisticated
tools...
There are many IDS which keep MD5 hashes of all the files on the system
as well as a file listing so you may want to look into one of these for
the future... I am not familiar with your "baseline checker" which
detected the file size change in /etc/passwd [which implies that it runs
quite often...] but does this also show any new file creations? If so
check for anything at all... especially lurking tmp or scratch...
setuids that don't seem quite right are also not entirely rare. I don't
know of any "rootkits" crafted specifically for cobalt (as I am
relatively new to cobalts in general) but it seems close enough to
redhat that the attacker may have also used one on your system, though
that seems least likely because your "baseline checker" probably would
have caught the change in the file sizes of some binaries.
Good luck on the forensics end of this process, it can be quite
frustrating...
--dave worth [ [EMAIL PROTECTED] ]
Perl Programmer for MIS Inc. [ http://www.misinc.net ]
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
