Those two "M" files seem to be ok to me. Here's what they were originally (thanks for the rpm tip, Graeme) :
# rpm -qvlif /usr/bin/newgrp | grep bin/newgrp -rws--x--x root root 5576 Apr 17 1999 /usr/bin/newgrp # rpm -qvlif /usr/bin/write | grep bin/write -rwxr-sr-x root tty 8392 Apr 17 1999 /usr/bin/write Their permissions were changed to this (on my machine) : # ls -l /usr/bin/newgrp /usr/bin/write -rwx--x--x 1 root root 5576 Apr 17 1999 /usr/bin/newgrp -rwxr-xr-x 1 root tty 8392 Apr 17 1999 /usr/bin/write That is, newgrp and write respectively had their SUID and SGID bits cleared. In other words, the security on these files has been *tightened*. These files are config files: > > S.5....T c /etc/pam.d/chfn > > S.5....T c /etc/pam.d/chsh > > S.5....T c /etc/pam.d/login The S means the size has changed, the 5 means the contents of the file has changed, the T means the modification time has changed, and the c means they are config files. But it's not unusual at all for config files to be changed, so that doesn't point to anything immediately sinister ... but if you wanted to know for sure, you'd have to inspect them and work out what is going on of course. On Mon, 15 Jul 2002 03:54:21 -0400 "David Seaton" <[EMAIL PROTECTED]> wrote: > Martin, > No, it's cool man, I -think- everything is fine. Nobody seemed to say anything > about the last two > > .M...... /usr/bin/newgrp > > .M...... /usr/bin/write > I was just asking about the other messages. > > S.5....T c /etc/pam.d/chfn > > S.5....T c /etc/pam.d/chsh > > S.5....T c /etc/pam.d/login > If you note, I did not use the "|grep bin" at the end of my execution string. > Curiosity I suppose. > > > ----- Original Message ----- > From: "Mart�n Fiumara" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, July 15, 2002 3:37 AM > Subject: Re: [cobalt-security] Have you been hacked? > > > David, can you tell me what that result means? Im just learning Linux basics > :) > Means that the server has been hacked? > If not, must I reinstall something o fix something? The raq3 has all the > cobalt patches uptodate.... > > Thanks for the help > > > ----- Original Message ----- > From: "David Seaton" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, July 15, 2002 4:07 AM > Subject: Re: [cobalt-security] Have you been hacked? > > > > Just for fun I checked myself with: > > rpm -Vf /bin/login /usr/sbin/tcpd > > > > and results where: > > S.5....T c /etc/pam.d/chfn > > S.5....T c /etc/pam.d/chsh > > S.5....T c /etc/pam.d/login > > .M...... /usr/bin/newgrp > > .M...... /usr/bin/write > > > > Nothing to worry about right? > > > > -David Seaton > > > > _______________________________________________ > > cobalt-security mailing list > > [EMAIL PROTECTED] > > http://list.cobalt.com/mailman/listinfo/cobalt-security > > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > > > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
