[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Some assistance needed

Subject: Re: [cobalt-security] Some assistance needed
From: "Chris Burton" <chris@xxxxxxxxxxxxxxxxxx>
Date: Sat, 29 Jun 2002 13:17:45 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> [root chkrootkit-pre-0.36]# cat /etc/passwd |grep pcap
> pcap:x:77:77::/var/arpwatch:/sbin/nologin
> [root chkrootkit-pre-0.36]# cd ~pcap
> sh: /var/arpwatch: No such file or directory
>

My guess would be you installed the tcpdump package.. and if you check in
/var/log/messages you should see a correlation between the time you
installed tcpdump, and the account creation.

grep "new user: name=pcap" /var/log/messages
grep "Installing tcpdump-3.6.2-10.7x.i386.rpm" /var/cobalt/adm.log

The lines returned from these should show a similar timestamp.

But I would continue to check for the kork user.

ChrisB.

--
http://ChrisBurton.info/
http://www.tyneside.lug.org.uk/

References:
- RE: [cobalt-security] Some assistance needed
  - From: Rick

Prev by Date: [cobalt-security] Failed to open libcasp2ap.so
Next by Date: Re: [cobalt-security] Apache pkgs
Previous by thread: RE: [cobalt-security] Some assistance needed
Next by thread: Re: [cobalt-security] Some assistance needed

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index