On Wednesday 05 December 2001 23:08, you wrote: > I had a break in with a sniffer installed. No root kit. > I've cleaned up but I wanted to check a few files. > I believe my /bin/login has been spoofed but I think > that is the only file. > > Can someone with a RaQ3i and all the latest updates > verify the following items match? > > 1) ls -al /bin/bash /bin/login /bin/ls /bin/ps /bin/su > > root.root 373176 Apr 6 1999 /bin/bash 1936633e92d70e29147fab0658faa1ac /bin/bash > root.wheel 212244 Apr 17 1999 /bin/login e400921eb6a2c84822c5d7de5b4f3057 /bin/login > root.root 50148 Sep 8 1999 /bin/ls f482ae701e46005a358a01c139f1ae74 /bin/ls > root.root 60460 Apr 3 1999 /bin/ps 6d16efee5baecce7a6db7d1e1a088813 /bin/ps > root.root 13208 Apr 13 1999 /bin/su 231be390b7abe8c8ea5e3d9ee0dc8868 /bin/su
#1 is OK > 2) ls -al /usr/bin/ftp /usr/bin/passwd /usr/bin/rlogin /usr/bin/rsh > > root.root 62268 Mar 21 1999 /usr/bin/ftp 48b7845a675be49f6c3a463baffe08ec /usr/bin/ftp > root.root 10704 Apr 14 1999 md5sum /usr/bin/passwd b0ea7b138e3fab9a4d116a3d05685147 /usr/bin/passwd > root.root 10516 Apr 15 1999 /usr/bin/rlogin cc723a722bdddb6779c5e5e150288c6e /usr/bin/rlogin > root.root 7780 Apr 15, 1999 /usr/bin/passwd > #2 is OK > If you could also send me an email with the md5sum > on these same files I would appreciate it (or I can send > it to you if you wish). I will also need to get a new copy > of /bin/login from someone. > Gerald _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
