[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Some assistance needed
- Subject: RE: [cobalt-security] Some assistance needed
- From: "Rick" <rick@xxxxxxxxxxxx>
- Date: Sat, 29 Jun 2002 20:08:52 +0800
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi,
Prob i did not install it properly.
Searching for LPD Worm files and dirs... Possible LPD worm installed
Checking `sniffer'...
eth0 is not promisc
also, i see the following entry in /etc/shadow
[root chkrootkit-pre-0.36]# cat /etc/passwd |grep pcap
pcap:x:77:77::/var/arpwatch:/sbin/nologin
[root chkrootkit-pre-0.36]# cd ~pcap
sh: /var/arpwatch: No such file or directory
i dont see port 666 open
and, also i dont see the entry in inetd.conf/services.
Kindly advise
Regards,
Rick
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Chris Burton
Sent: Saturday, June 29, 2002 7:46 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Some assistance needed
> I have d/l the latest version of chkrootkit.
> Seems like my system has been comprimised.
> Searching for LPD Worm files and dirs... Possible LPD worm installed
> Checking `lkm'... not tested: can't exec ./chkproc
> Checking `sniffer'... not tested: can't exec ./ifpromisc
> Checking `wted'... not tested: can't exec ./chkwtmp
> Checking `z2'... not tested: can't exec ./chklastlog
>
Firstly read the instructions for chkrootkit, you missed the bit under
installation then re-run it. After that see what the script does .. and see
what it is triping out on..
Taking a quick look at the script it checks for:
A username in /etc/passwd starting with "kork" and/or a service listed in
/etc/inetd.conf on port 666 (or one starting with 666), if you have these
and they wasnt put there from you then you may have a problem.
ChrisB.
--
http://ChrisBurton.info/
http://www.tyneside.lug.org.uk/
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security