[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] amd root?
- Subject: Re: [cobalt-security] amd root?
- From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
- Date: Thu, 07 Feb 2002 19:45:28 -0800
- Organization: nobaloney.net
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Michael Stauber wrote:
> > On one customer system chkrootkit is reporting "amd" and "syslogd" are
> > both infected.
>
> This could be the LRK4 rootkit - among others:
>
> http://project.honeynet.org/challenge/results/submissions/addam/toolkit.txt
>
> However, if so, then CHKrootkit should find and identify it correctly, if I'm
> not mistaken.
Thanks for the info. The customer has decided he'll do whatever he does
on his own.
I hope he does something.
> Jeff, I gather you're quite experienced in regards to Cobalts.
>
> Did you recently stumble across any RaQ3 or RaQ4 which had /etc/shadow set to
> -r--------?
>
> Just today I had the third RaQ with the same signs and indications and I've
> heard about two others with the same issue.
Yes, but mine were okay; I could still read/write them as root.
Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA 92517
voice: (909) 778-9980 * fax: (702) 548-9484