Newaliases is modified as a side effect of modifying sendmail (they are links to each other). Note that newaliases has the same signature as sendmail. (and some of the other files ... I've included and reordered the 'interesting' MD5 sigs). Slogin was probably trojaned to capture outgoing passwords / secret keys. If anybody on your system uses slogin (slogin is usually a symlink to ssh, so I don't know why ssh didn't show up there). then they'll need to replace all passwords/secret keys, and check for intrusion on their remote systems. This looks like it's a rootkit with a twist -- modifying different files than a normal rootkit would attack -- possibly in hopes of avoiding detection that way. Ingram wrote: > greetings community, > > first thx for all comments on my topic! > > As most ppl suggest, i installed a clean OpenBSD 3.1 with the same > modifications as the hacked box. After that i´ve done a md5/diff > on /bin /sbin /usr/bin /usr/sbin and /etc > < MD5 (sendmail) = 14003b72c1930d27d3dc2140abee57c1 > < MD5 (hoststat) = 14003b72c1930d27d3dc2140abee57c1 > < MD5 (mailq) = 14003b72c1930d27d3dc2140abee57c1 > < MD5 (newaliases)=14003b72c1930d27d3dc2140abee57c1 > < MD5 (purgestat)= 14003b72c1930d27d3dc2140abee57c1 > < MD5 (htdigest) = e1fb58fbd203761e24218c6859ab720b > < MD5 (htpasswd) = e5d13570cf10a82a17829fa026f572b1 > < MD5 (slogin) = f8309f1329802e30c7e6badf3896cfa4 >>MD5 (slogin) = 9862a890469ac61404368f546514f8bd .... > I expected to find trojaned ps, netstat, etc. but nothing. Hmm maybe the > attacker did _not_ use a rootkit (strange?) or he has used some exotic > one. > > Is there anything else i could do to get more Information? -- Stephen Samuel +1(604)876-0426 samuelat_private http://www.bcgreen.com/~samuel/ Powerful committed communication, reaching through fear, uncertainty and doubt to touch the jewel within each person and bring it to life. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 02 2002 - 04:20:51 PDT