Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
41424344454647484950
Solaris 9 Security CX-310-301 42
-r-sr-xr-x 2 root bin 15296 Apr 7 2002 /usr/bin/sparcv9/uptime
-r-sr-xr-x 2 root bin 15296 Apr 7 2002 /usr/bin/sparcv9/w
-r-s--x--x 1 root sys 1163504 Jul 30 2003 /usr/bin/admintool
-r-sr-xr-x 1 root bin 21448 Feb 26 2003 /usr/bin/rcp
-r-sr-xr-x 1 root bin 55292 Apr 6 2002 /usr/bin/rdist
-r-sr-xr-x 1 root bin 15284 Apr 6 2002 /usr/bin/rlogin
-r-sr-xr-x 1 root bin 9176 Apr 6 2002 /usr/bin/rsh
-r-s--x--x 1 root lp 9872 Sep 19 2003 /usr/bin/cancel
-r-s--x--x 1 root lp 22972 Apr 7 2002 /usr/bin/lp
-r-s--x--x 1 root lp 9688 Apr 7 2002 /usr/bin/lpset
-r-s--x--x 1 root lp 22820 Apr 7 2002 /usr/bin/lpstat
-r-sr-xr-x 1 root sys 41416 Apr 6 2002 /usr/bin/chkey
-r-sr-xr-x 1 root bin 4832 Apr 7 2002 /usr/bin/mailq
-r-sr-xr-x 1 root bin 38732 Apr 7 2002 /usr/bin/rmformat
-r-sr-xr-x 1 root bin 6204 Apr 7 2002 /usr/bin/volcheck
-r-sr-xr-x 1 root bin 12620 Apr 7 2002 /usr/bin/volrmmount
-r-sr-xr-x 1 root bin 236492 Mar 14 2003 /usr/bin/pppd
---s--x--x 1 root uucp 69552 Apr 6 2002 /usr/bin/ct
---s--x--x 1 uucp uucp 83340 Apr 6 2002 /usr/bin/cu
---s--x--x 1 uucp uucp 66788 Aug 8 2003 /usr/bin/uucp
---s--x--x 1 uucp uucp 22676 Apr 6 2002 /usr/bin/uuglist
---s--x--x 1 uucp uucp 19576 Apr 6 2002 /usr/bin/uuname
---s--x--x 1 uucp uucp 61184 Aug 8 2003 /usr/bin/uustat
---s--x--x 1 uucp uucp 70908 Aug 8 2003 /usr/bin/uux
-rwsr-xr-x 1 root bin 52976 Apr 6 2002 /usr/bin/cdrw
¾ The last example identifies files in the /etc directory owned by the root user that have been
modified in the last two days:
# find /etc –user root –mtime –2 -print
/etc/passwd
/etc/inet/inetd.conf
As you can see from this example, there has been a modification to the /etc/inet/inetd.conf file, which could
indicate an unauthorized service might have been enabled as a backdoor. Also note that the passwd file has
been modified, maybe to create a new account. Either way, it would prompt the system administrator to
investigate further.
Using Tripwire
Tripwire is a third party product available from www.tripwire.com that produces a fingerprint of specified
directories in a system and creates a database that can be checked to report changes to files. Tripwire does
not just report on modifications to files, it also notices changes to the attributes of files, such as access time
and modification time.