on 28/6/01 9:23 pm, Bill Irwin <[EMAIL PROTECTED]> wrote: > Although it is not 100% accurate, one can be reasonably sure that the > server has been hacked if any of the following produces output: > NOTE: util-linux will complain about: > S.5....T c /etc/pam.d/chfn > S.5....T c /etc/pam.d/chsh > S.5....T c /etc/pam.d/login > .M...... /usr/bin/newgrp > .M...... /usr/bin/write > These are OK...they should not be different, but they DO NOT show > that you have been hacked. Hello Bill, Although your other commands outputted nothing on my RaQ3, rpm -V util-linux added ..?..... /usr/bin/chfn ..?..... /usr/bin/chsh to what you mentioned as normal above. Running "ps ax" shows nothing unusual listening on any port. "ls -l" gives this for each file... -rws--x--x 1 root root 13800 Apr 17 1999 /usr/bin/chsh -rws--x--x 1 root root 14088 Apr 17 1999 /usr/bin/chfn How concerned should I be? This RaQ has been behaving very well for a long time now (especially after replacing ChiliASP with PHP4). Haven't yet applied the very latest patch out last week, but otherwise it is up-to-date. Thanks, David B. -- David Buxton - planetrapido.com Email [EMAIL PROTECTED] 14 - 16 Great Pulteney St. Tel 020-7440-5760 London, W1F 9ND Mobile 07967-484643 United Kingdom _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
