[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Some assistance needed
- Subject: Re: [cobalt-security] Some assistance needed
- From: "Chris Burton" <chris@xxxxxxxxxxxxxxxxxx>
- Date: Sat, 29 Jun 2002 12:45:51 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> I have d/l the latest version of chkrootkit.
> Seems like my system has been comprimised.
> Searching for LPD Worm files and dirs... Possible LPD worm installed
> Checking `lkm'... not tested: can't exec ./chkproc
> Checking `sniffer'... not tested: can't exec ./ifpromisc
> Checking `wted'... not tested: can't exec ./chkwtmp
> Checking `z2'... not tested: can't exec ./chklastlog
>
Firstly read the instructions for chkrootkit, you missed the bit under
installation then re-run it. After that see what the script does .. and see
what it is triping out on..
Taking a quick look at the script it checks for:
A username in /etc/passwd starting with "kork" and/or a service listed in
/etc/inetd.conf on port 666 (or one starting with 666), if you have these
and they wasnt put there from you then you may have a problem.
ChrisB.
--
http://ChrisBurton.info/
http://www.tyneside.lug.org.uk/