I had a break in with a sniffer installed. No root kit. I've cleaned up but I wanted to check a few files. I believe my /bin/login has been spoofed but I think that is the only file.
Can someone with a RaQ3i and all the latest updates verify the following items match? 1) ls -al /bin/bash /bin/login /bin/ls /bin/ps /bin/su root.root 373176 Apr 6 1999 /bin/bash root.wheel 212244 Apr 17 1999 /bin/login root.root 50148 Sep 8 1999 /bin/ls root.root 60460 Apr 3 1999 /bin/ps root.root 13208 Apr 13 1999 /bin/su 2) ls -al /usr/bin/ftp /usr/bin/passwd /usr/bin/rlogin /usr/bin/rsh root.root 62268 Mar 21 1999 /usr/bin/ftp root.root 10704 Apr 14 1999 /usr/bin/passwd root.root 10516 Apr 15 1999 /usr/bin/rlogin root.root 7780 Apr 15, 1999 /usr/bin/passwd If you could also send me an email with the md5sum on these same files I would appreciate it (or I can send it to you if you wish). I will also need to get a new copy of /bin/login from someone. Thanks. --------------------------------------------------- DuoMark International, Inc. 6523 Colgate Avenue, Suite 325 Los Angeles, CA 90048-4410 / USA Voice: +1 323 381-0002 FAX: +1 323 549 0172 Email: [EMAIL PROTECTED] WWW: http://www.duomark.com/ _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
