Re: [cobalt-security] Hacked, need to verify some files

Thu, 06 Dec 2001 09:39:30 -0800 

Do a test:

Make a ps -A and see the output, if it gives you some error, the i have a
bad new: you have been rootkited.
I say that because muy raq was compromised once, and i discovered that the
ps, ls, and su binaries were change by other binaries from a rootkit... dont
remember the name right now.

----- Original Message -----
From: "Jay Nelson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 06, 2001 1:08 AM
Subject: [cobalt-security] Hacked, need to verify some files


> I had a break in with a sniffer installed.  No root kit.
> I've cleaned up but I wanted to check a few files.
> I believe my /bin/login has been spoofed but I think
> that is the only file.
>
> Can someone with a RaQ3i and all the latest updates
> verify the following items match?
>
> 1)   ls -al /bin/bash /bin/login /bin/ls /bin/ps /bin/su
>
> root.root    373176  Apr  6 1999   /bin/bash
> root.wheel 212244  Apr 17 1999  /bin/login
> root.root      50148  Sep 8 1999   /bin/ls
> root.root      60460  Apr 3  1999  /bin/ps
> root.root      13208  Apr 13 1999  /bin/su
>
> 2)   ls -al /usr/bin/ftp /usr/bin/passwd /usr/bin/rlogin /usr/bin/rsh
>
> root.root      62268  Mar 21 1999  /usr/bin/ftp
> root.root      10704  Apr 14  1999  /usr/bin/passwd
> root.root      10516  Apr 15  1999  /usr/bin/rlogin
> root.root        7780  Apr 15, 1999  /usr/bin/passwd
>
>
> If you could also send me an email with the md5sum
> on these same files I would appreciate it (or I can send
> it to you if you wish).  I will also need to get a new copy
> of /bin/login from someone.
>
> Thanks.
>
> ---------------------------------------------------
> DuoMark International, Inc.
> 6523 Colgate Avenue, Suite 325
> Los Angeles, CA  90048-4410 / USA
> Voice: +1 323 381-0002
> FAX: +1 323 549 0172
> Email: [EMAIL PROTECTED]
> WWW: http://www.duomark.com/
>
>
> _______________________________________________
> cobalt-security mailing list
> [EMAIL PROTECTED]
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security

Reply via email to