[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] CROND

Subject: RE: [cobalt-security] CROND
From: "Anthony Patti" <gps@xxxxxxxxxxxxxx>
Date: Tue, 26 Nov 2002 22:38:43 -0600
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

+I have a process running on one of my Raq4's called CROND.  Not to be
+mistaken with crond.
+
+root      4180  0.0  0.1  1156  536 ?        S    14:09   0:00 CROND
+
+I am unaware of what this process is. The latest chkrootkit shows no hacks.
+
+A reboot of the machine cleared it out but it came back again the next day.
+
+Any ideas of what this might be?
+
+Thanks
+
+Tom

CROND is part of a root kit hack. I forget which one.

http://list.cobalt.com/pipermail/cobalt-users/2001-February/038052.html

-Check your netstat output for any strange open ports.
-Check your /etc/inetd.conf file
-Check /root/.bash_history
-Also try searching for .psybnc and .crond and examine your /.tmp
directories.

For additional reference see:

http://www.lucidic.net/whitepapers/sholcroft-4.1-2002.html

http://www.beimborn.com/security/chkconfig_nmap.html

References:
- [cobalt-security] CROND
  - From: Skyhound Internet

Prev by Date: Re: [cobalt-security] CROND
Next by Date: Re: [cobalt-security] CROND
Previous by thread: Re: [cobalt-security] CROND
Next by thread: Re: [cobalt-security] CROND

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index