[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] CROND
- Subject: RE: [cobalt-security] CROND
- From: "Anthony Patti" <gps@xxxxxxxxxxxxxx>
- Date: Tue, 26 Nov 2002 22:38:43 -0600
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
+I have a process running on one of my Raq4's called CROND. Not to be
+mistaken with crond.
+
+root 4180 0.0 0.1 1156 536 ? S 14:09 0:00 CROND
+
+I am unaware of what this process is. The latest chkrootkit shows no hacks.
+
+A reboot of the machine cleared it out but it came back again the next day.
+
+Any ideas of what this might be?
+
+Thanks
+
+Tom
CROND is part of a root kit hack. I forget which one.
http://list.cobalt.com/pipermail/cobalt-users/2001-February/038052.html
-Check your netstat output for any strange open ports.
-Check your /etc/inetd.conf file
-Check /root/.bash_history
-Also try searching for .psybnc and .crond and examine your /.tmp
directories.
For additional reference see:
http://www.lucidic.net/whitepapers/sholcroft-4.1-2002.html
http://www.beimborn.com/security/chkconfig_nmap.html