[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] amd root?

Subject: Re: [cobalt-security] amd root?
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Date: Thu, 07 Feb 2002 19:45:28 -0800
Organization: nobaloney.net
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Michael Stauber wrote:

> > On one customer system chkrootkit is reporting "amd" and "syslogd" are
> > both infected.
> 
> This could be the LRK4 rootkit - among others:
> 
> http://project.honeynet.org/challenge/results/submissions/addam/toolkit.txt
> 
> However, if so, then CHKrootkit should find and identify it correctly, if I'm
> not mistaken.

Thanks for the info.  The customer has decided he'll do whatever he does
on his own.

I hope he does something.

> Jeff, I gather you're quite experienced in regards to Cobalts.
> 
> Did you recently stumble across any RaQ3 or RaQ4 which had /etc/shadow set to
> -r--------?
> 
> Just today I had the third RaQ with the same signs and indications and I've
> heard about two others with the same issue.

Yes, but mine were okay; I could still read/write them as root.

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA  92517
voice: (909) 778-9980  *  fax: (702) 548-9484

References:
- [cobalt-security] amd root?
  - From: Jeff Lasman
- Re: [cobalt-security] amd root?
  - From: Michael Stauber

Prev by Date: Re: [cobalt-security] /etc/shadow
Next by Date: [cobalt-security] POSSIBLE MAJOR SECURITY BREACH
Previous by thread: Re[4]: [cobalt-security] amd root?
Next by thread: RE: [cobalt-security] amd root?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index