[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: Chkrootkit Report Warning
- Subject: [cobalt-security] Re: Chkrootkit Report Warning
- From: "Gareth" <garth@xxxxxxxxxxxxxxx>
- Date: Tue, 11 Sep 2001 09:54:42 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Before I have seen hackers make a directory from a non-printable character,
and hide things in that directory, at the time they used alt+0253
i.e. /ý/ which at the time was non-printale when you did an ls or a cd. This
is a possibility for your system. I beleive chkrootkit does a recursive
search of your disk and has found these files. But adter reading you message
again, I notice this is in the history files, which could suggest that the
person that these commands were in ran a script with a [root] key, and a
[path] key which both included / ? I dunno.
Gareth
> Message: 2
> Date: Mon, 10 Sep 2001 12:15:38 -0400
> From: enrique <enriquevega@xxxxxxx>
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: [cobalt-security] Chkrootkit Report Warning
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> I have a concern with the report I received this morning from
> chkrootkit. It is a warning about shell history files dealing with "//."
> I don't understand why I would have a double slash directory listing.
> Can anyone give me an idea? Below is a partial listing from the report:
>
> Searching for anomalies in shell history files... Warning: `//var/tmp
> //var/log/httpd
> //var/spool/mail/kfarley
> //etc/localtime
> //etc/rc.d/init.d/pmfirewall
> //etc/rc.d/init.d/webmin
> //etc/rc.d/rc0.d/K90mysql
> ...
>
> Could this be a hacked secondary file system?
>
> enrique