[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Is this suspicious?

Subject: RE: [cobalt-security] Is this suspicious?
From: Eugene Crosser <crosser@xxxxxxxxxxx>
Date: 07 Oct 2002 17:32:19 +0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Mon, 2002-10-07 at 16:35, Andy Brown wrote:
> 
> <snip>
> Checking `passwd'... INFECTED 
> </snip>
> 
> Not sure if anybody else noticed this, so thought i'd highlight it.
> 
> This is slightly unusual, the chkroot details say anything showing as INFECTED generally means the binary has been modified, probably by a trojan.

The check matches "security" in the output of "strings /usr/bin/passwd"
which contains something like "/etc/security/passwd.conf".  I cannot
tell with 100% certainty but it does look like a false positive.

Eugene

References:
- RE: [cobalt-security] Is this suspicious?
  - From: Andy Brown

Prev by Date: RE: [cobalt-security] Is this suspicious?
Next by Date: RE: [cobalt-security] Is this suspicious?
Previous by thread: RE: [cobalt-security] Is this suspicious?
Next by thread: RE: [cobalt-security] Is this suspicious?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index