[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] RE: [cobalt-security]chkrootkit, was (no subject)
- Subject: [cobalt-security] RE: [cobalt-security]chkrootkit, was (no subject)
- From: "Goade, Matthew" <mgoade@xxxxxxxxxxxxxxx>
- Date: Fri, 12 Jul 2002 09:48:28 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I have ran it several times since, and it all checks out fine. This may have in fact been a false+. I'll run it in cron hourly and keep an eye on it for awhile...
Thanks!
-----Original Message-----
From: Graeme Fowler [mailto:graeme.fowler@xxxxxxxxxxxxxx]
Sent: Friday, July 12, 2002 9:15 AM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-security] (no subject)
Matthew Goade wrote:
> Warning: Possible LKM Trojan installed
>
> Is this normal for a Raq4r???
No. Absolutely not, no. Unless the RaQ is hammering away processing mail, or something similar, I'd say you probably have Something Bad going on there.
chkrootkit *can* report false positives since in the interval between it running 'ps ax' and then doing the readdir on /proc/[0-9]* some processes may spawn or die; however if you consistently have the same number then something is very wrong.
You can run chkrootkit in 'expert' or 'debug' mode[0]. Pipe the output to a file and look through it to see which process IDs are causing the problem. Then do "ls -l /proc/$PID" and see what it says. That way you can attempt to find whatever dirty binary is causing the problem.
[0] I will, however, leave this as an excercise for interested readers ;-)
Graeme
--
Graeme Fowler
System Administrator
Host Europe Group PLC
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security