[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Some assistance needed
- Subject: Re: [cobalt-security] Some assistance needed
- From: "Chris Burton" <chris@xxxxxxxxxxxxxxxxxx>
- Date: Sat, 29 Jun 2002 13:17:45 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> [root chkrootkit-pre-0.36]# cat /etc/passwd |grep pcap
> pcap:x:77:77::/var/arpwatch:/sbin/nologin
> [root chkrootkit-pre-0.36]# cd ~pcap
> sh: /var/arpwatch: No such file or directory
>
My guess would be you installed the tcpdump package.. and if you check in
/var/log/messages you should see a correlation between the time you
installed tcpdump, and the account creation.
grep "new user: name=pcap" /var/log/messages
grep "Installing tcpdump-3.6.2-10.7x.i386.rpm" /var/cobalt/adm.log
The lines returned from these should show a similar timestamp.
But I would continue to check for the kork user.
ChrisB.
--
http://ChrisBurton.info/
http://www.tyneside.lug.org.uk/