RE: [cobalt-security] Some assistance needed

["Rick" <rick@xxxxxxxxxxxx>]

Hi,
Prob i did not install it properly.

Searching for LPD Worm files and dirs... Possible LPD worm installed
Checking `sniffer'... 
eth0 is not promisc

also, i see the following entry in /etc/shadow

[root chkrootkit-pre-0.36]# cat /etc/passwd |grep pcap
pcap:x:77:77::/var/arpwatch:/sbin/nologin
[root chkrootkit-pre-0.36]# cd ~pcap 
sh: /var/arpwatch: No such file or directory

i dont see port 666 open 
and, also i dont see the entry in inetd.conf/services.

Kindly advise

Regards,
Rick

-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Chris Burton
Sent: Saturday, June 29, 2002 7:46 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Some assistance needed


> I have d/l the latest version of chkrootkit.
> Seems like my system has been comprimised.
> Searching for LPD Worm files and dirs... Possible LPD worm installed
> Checking `lkm'... not tested: can't exec ./chkproc
> Checking `sniffer'... not tested: can't exec ./ifpromisc
> Checking `wted'... not tested: can't exec ./chkwtmp
> Checking `z2'... not tested: can't exec ./chklastlog
>


Firstly read the instructions for chkrootkit, you missed the bit under
installation then re-run it. After that see what the script does .. and see
what it is triping out on..

Taking a quick look at the script it checks for:
A username in /etc/passwd starting with "kork" and/or a service listed in
/etc/inetd.conf on port 666 (or one starting with 666), if you have these
and they wasnt put there from you then you may have a problem.

ChrisB.

--
http://ChrisBurton.info/
http://www.tyneside.lug.org.uk/

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security