[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Is this suspicious?
- Subject: Re: [cobalt-security] Is this suspicious?
- From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
- Date: Fri, 04 Oct 2002 15:58:38 -0700
- Organization: nobaloney.net
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> Julians@xxxxxxxxxxxxxxx wrote:
> I know enough to run this on our raq2,
> But not enough to know what it all means... Should I be worried?
>
> [root chkrootkit-0.37]# ./chkrootkit
...<output snipped>...
Just grep the output for "INFECTED" (without the quotes, in CAPS).
If there aren't any, it's okay.
BUT... it can't run chkproc or ifpromisc because it's a RaQ2.
And the RaQ2 always deleted history for previous logins, so it will only
find entries for the same day's commands.
Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net, P. O. Box 52672, Riverside, CA 92517
voice: +1 909 778-9980 * fax: +1 909 548-9484