[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Chkrootkit Report Warning
- Subject: Re: [cobalt-security] Chkrootkit Report Warning
- From: John Bailey <support@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 10 Sep 2001 18:36:56 +0100 (BST)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> I have a concern with the report I received this morning from
> chkrootkit. It is a warning about shell history files dealing with "//."
> Could this be a hacked secondary file system?
As to why you've got them, I won't speculate. I don't know much about the
inards of chrootkit. As for if it's a hacked secondary file system,
that's pretty doubtful in my opinion. On any sensible unix-alike system,
multiple '/' like that should resolve to the equivelnt of a single slash -
'/' is used as a directory name seperator, therefore
'home//user'
is a seperation of home from a null string, which in turn is separated
from 'user'. As there's no text between the '//', it won't look for a
subdirectory. If you follow my drift, you'll see that
'home//user' is really the same as 'home/user' as is
'home/////////////////////////////user'
You can sometimes get double slashed occuring when you do things like
./configure --prefix=/usr/sbin/
Most good configure scripts would add a '/' on to the end of the prefix,
just in case the user forgot, giving '/usr/sbin//'. Hopefully that'll
reassure you somewhat, even if it doesn't answer your entire question!
Cheers,
John