RE: [cobalt-security] Is this suspicious?

[Julians@xxxxxxxxxxxxxxx]

Title: RE: [cobalt-security] Is this suspicious?

Chkrootkit still reports

[root chkrootkit-0.37]# ./chkrootkit | grep INFECTED
Checking `passwd'... INFECTED

The md5sum of my /usr/bin/passwd is
0bbe46a45ee813b9aa94ef9a296cb723

Id be grateful if someone could compare this with another raq2

Thanks,
Julian

-----Original Message-----
From: Andy Brown [mailto:andy.brown@xxxxxxxxxxxxx]
Sent: 07 October 2002 13:35
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-security] Is this suspicious?

<snip>
Checking `passwd'... INFECTED
</snip>

Not sure if anybody else noticed this, so thought i'd highlight it.

This is slightly unusual, the chkroot details say anything showing as INFECTED generally means the binary has been modified, probably by a trojan.

Unfortunately I don't have a RaQ2 myself, so can't check, but best is to do an md5sum on the file: md5sum /usr/bin/passwd then compare the output to somebody else's machine.

You *could* have somebody in the system. Have you run chkrootkit again just to make sure it wasn't a false alarm?

Regards,

Andy
andy@xxxxxxxxxx
http://www.raqpak.com/ <-- Raq/Qube unofficial PKGs and support advice
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx http://list.cobalt.com/mailman/listinfo/cobalt-security

________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________