[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Is this suspicious?

Subject: RE: [cobalt-security] Is this suspicious?
From: "Andy Brown" <andy.brown@xxxxxxxxxxxxx>
Date: Mon, 7 Oct 2002 13:35:22 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

<snip>
Checking `passwd'... INFECTED 
</snip>

Not sure if anybody else noticed this, so thought i'd highlight it.

This is slightly unusual, the chkroot details say anything showing as INFECTED generally means the binary has been modified, probably by a trojan.

Unfortunately I don't have a RaQ2 myself, so can't check, but best is to do an md5sum on the file:
md5sum /usr/bin/passwd
then compare the output to somebody else's machine.

You *could* have somebody in the system. Have you run chkrootkit again just to make sure it wasn't a false alarm?

Regards,

Andy
andy@xxxxxxxxxx
http://www.raqpak.com/ <-- Raq/Qube unofficial PKGs and support advice

Follow-Ups:
- RE: [cobalt-security] Is this suspicious?
  - From: Gerald Waugh
- RE: [cobalt-security] Is this suspicious?
  - From: Eugene Crosser

Prev by Date: Re: [cobalt-security] New SSL Patch -- did anything happen ?[RaQ3]
Next by Date: RE: [cobalt-security] Is this suspicious?
Previous by thread: Re: [cobalt-security] Is this suspicious?
Next by thread: RE: [cobalt-security] Is this suspicious?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index