[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Chkrootkit Report Warning

Subject: Re: [cobalt-security] Chkrootkit Report Warning
From: John Bailey <support@xxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 10 Sep 2001 18:36:56 +0100 (BST)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> I have a concern with the report I received this morning from
> chkrootkit. It is a warning about shell history files dealing with "//."
> Could this be a hacked secondary file system?

As to why you've got them, I won't speculate.  I don't know much about the
inards of chrootkit.  As for if it's a hacked secondary file system,
that's pretty doubtful in my opinion.  On any sensible unix-alike system,
multiple '/' like that should resolve to the equivelnt of a single slash -
'/' is used as a directory name seperator, therefore

'home//user'

is a seperation of home from a null string, which in turn is separated
from 'user'.  As there's no text between the '//', it won't look for a
subdirectory.  If you follow my drift, you'll see that

'home//user' is really the same as 'home/user' as is
'home/////////////////////////////user'

You can sometimes get double slashed occuring when you do things like

./configure --prefix=/usr/sbin/

Most good configure scripts would add a '/' on to the end of the prefix,
just in case the user forgot, giving '/usr/sbin//'.  Hopefully that'll
reassure you somewhat, even if it doesn't answer your entire question!

Cheers,

John

References:
- [cobalt-security] Chkrootkit Report Warning
  - From: enrique

Prev by Date: Re: [cobalt-security] about cd .. command can change home directory up to root server
Next by Date: Re: [cobalt-security] Re: How did they do this - Thank You Guys
Previous by thread: [cobalt-security] Chkrootkit Report Warning
Next by thread: [cobalt-security] Re: Chkrootkit Report Warning

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index