1830008 Members
2445 Online
109998 Solutions
New Discussion

HP-UX hacking program

 
SOLVED
Go to solution
Jojo Castro
Regular Advisor

Re: HP-UX hacking program

One more thing Dennis, can a normal ordinary user has a capable to set their UID and GID with setuid and setgid commands?
Dennis Handly
Acclaimed Contributor

Re: HP-UX hacking program

>can a normal ordinary user has a capability to set their UID and GID with setuid and setgid syscalls?

No, that's why the program has setuid root< -rwsr-xr-x.
Once you remove that permission, "su -" will ask you for root's password.
Jojo Castro
Regular Advisor

Re: HP-UX hacking program

Thanks Dennis. One last question, do you think he destroyed other "valid" executable files such us /usr/bin/su, etc...

# ll /usr/bin/su
-r-sr-x--- 1 root suers 51872 Aug 3 2005 /usr/bin/su
Dennis Handly
Acclaimed Contributor

Re: HP-UX hacking program

>do you think he destroyed other "valid" executable files

Use swverify: swverify "*"

Of course if "swverify -F '*'" was used right after the file were modified, you could no longer check it that way. You could look for the swmodify.log for the past year.
Bill Hassell
Honored Contributor

Re: HP-UX hacking program

> strings /usr/sbin/mhello

So the program is located in /sbin. This means that a root user created this program sometime in the past (unless the permissions on /usr and /usr/sbin have been hacked - should be 755). This is often called a backdoor program and may have been a novice sysadmin's attempt to survive a root password problem. You might want to consider installing/using sudo and not give out the root password to anyone.


Bill Hassell, sysadmin
Jojo Castro
Regular Advisor

Re: HP-UX hacking program

thanks again dennis