[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Installation and use of chkrootkit by Steve Young
- Subject: [cobalt-security] Installation and use of chkrootkit by Steve Young
- From: "Stefan Jones" <stefan.w.jones@xxxxxxxxxxx>
- Date: Fri, 29 Nov 2002 16:25:07 -0500
- Organization: Wynn Consulting
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Steve,
Well done. The instructions were perfect. I am now 99% sure that my
server was not compromised, given what I learned about interpreting the
responses from chkrootkit. Being a Linux newbie, my education
continues, yet I would hope that those who use this forum would admonish
Sun Cobalt to make utilities like this readily available and provide
instructions as to there use. As a new user I should mot be relegated
to hunt for these types of utilities after hours of reading? These are
things that should be more obvious.
Again, Thank you
Stefan
> -----Original Message-----
> From: cobalt-security-admin@xxxxxxxxxxxxxxx [mailto:cobalt-security-
> admin@xxxxxxxxxxxxxxx] On Behalf Of cobalt-security-
> request@xxxxxxxxxxxxxxx
> Sent: Friday, November 29, 2002 3:00 PM
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: cobalt-security digest, Vol 1 #997 - 3 msgs
>
> Send cobalt-security mailing list submissions to
> cobalt-security@xxxxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://list.cobalt.com/mailman/listinfo/cobalt-security
> or, via email, send a message with subject or body 'help' to
> cobalt-security-request@xxxxxxxxxxxxxxx
>
> You can reach the person managing the list at
> cobalt-security-admin@xxxxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cobalt-security digest..."
>
>
> Today's Topics:
>
> 1. Apache .bugtrac (Ja)
> 2. How to install chkrootkit (Stefan Jones)
> 3. RE: How to install chkrootkit (Steven Young)
>
> --__--__--
>
> Message: 1
> From: "Ja" <jjma@xxxxxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Date: Fri, 29 Nov 2002 10:44:53 -0000
> Subject: [cobalt-security] Apache .bugtrac
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> Hello
>
> Did patch RaQ3-All-Security-4.0.1-1-15787.pkg resolve the .bugtrac &
> /usr/lib/authenticate exploits? I would like to use the SSL
> port again which is currently 'firewalled off'
>
> Thanks
>
> Jon
>
>
>
> --__--__--
>
> Message: 2
> From: "Stefan Jones" <stefan.w.jones@xxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Date: Fri, 29 Nov 2002 12:26:20 -0500
> Organization: Wynn Consulting
> Subject: [cobalt-security] How to install chkrootkit
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> I think I have acquired a copy of chkrootkit. But I am unaware of the
> best way to install this software on a Sun Cobalt Qube 3 Professional.
> It was downloaded from http://www.chkrootkit.com/#related_links but
> does not appear to be the typical pkg that I can run the install
> manually on. Any help would be appreciated, I am somewhat of a Linux
> newbie. And seriously interested in the enhanced security monitoring
> capabilities that chkrootkit can offer.
>
> Stefan Wynn Jones
>
> > -----Original Message-----
> > From: cobalt-security-admin@xxxxxxxxxxxxxxx [mailto:cobalt-security-
> > admin@xxxxxxxxxxxxxxx] On Behalf Of cobalt-security-
> > request@xxxxxxxxxxxxxxx
> > Sent: Thursday, November 28, 2002 3:00 PM
> > To: cobalt-security@xxxxxxxxxxxxxxx
> > Subject: cobalt-security digest, Vol 1 #996 - 1 msg
> >
> > Send cobalt-security mailing list submissions to
> > cobalt-security@xxxxxxxxxxxxxxx
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > or, via email, send a message with subject or body 'help' to
> > cobalt-security-request@xxxxxxxxxxxxxxx
> >
> > You can reach the person managing the list at
> > cobalt-security-admin@xxxxxxxxxxxxxxx
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of cobalt-security digest..."
> >
> >
> > Today's Topics:
> >
> > 1. Re: CROND (John 'JAYTEE' Tompkins)
> >
> > -- __--__--
> >
> > Message: 1
> > Date: Thu, 28 Nov 2002 16:52:05 +1100
> > Subject: Re: [cobalt-security] CROND
> > From: "John 'JAYTEE' Tompkins" <jaytee@xxxxxxxxx>
> > To: cobalt-security@xxxxxxxxxxxxxxx
> > Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> >
> > Tom,
> > On Our RAQ3, CROND appears as a process when monitor.pl executes on
> the
> > quarter hour
> > All ways has...
> >
> > JAYTEE
> >
> > On Wednesday, November 27, 2002, at 09:12 AM, Skyhound Internet
> wrote:
> >
> > > I have a process running on one of my Raq4's called CROND. Not to
> be
> > > mistaken with crond.
> > >
> > > root 4180 0.0 0.1 1156 536 ? S 14:09 0:00
CROND
> > >
> > > I am unaware of what this process is. The latest chkrootkit shows
no
> > > hacks.
> > >
> > > A reboot of the machine cleared it out but it came back again the
> next
> > > day.
> > >
> > > Any ideas of what this might be?
> > >
> > > Thanks
> > >
> > > Tom
> > >
> > > _______________________________________
> > > Skyhound Internet
> > > Long Beach CA
> > >
> > > _______________________________________________
> > > cobalt-security mailing list
> > > cobalt-security@xxxxxxxxxxxxxxx
> > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > >
> >
> >
> >
> > -- __--__--
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
> >
> > End of cobalt-security Digest
>
>
>
> --__--__--
>
> Message: 3
> From: "Steven Young" <steven.young@xxxxxxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Subject: RE: [cobalt-security] How to install chkrootkit
> Date: Fri, 29 Nov 2002 17:40:53 -0000
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> > I think I have acquired a copy of chkrootkit. But I am
> > unaware of the best way to install this software on a Sun
> > Cobalt Qube 3 Professional. It was downloaded from
> > http://www.chkrootkit.com/#related_links but does not appear
> > to be the typical pkg that I can run the install manually on.
> > Any help would be appreciated, I am somewhat of a Linux
> > newbie. And seriously interested in the enhanced security
> > monitoring capabilities that chkrootkit can offer.
> >
> > Stefan Wynn Jones
>
> chkrootkit is nice and easy to install and setup from source. I did
the
> following on a RaQ3 but I'm sure you can follow the following on a
Qube
> too.
>
> SSH to your Qube and SU - to root
>
> To install:-
> ------------
>
> mkdir /usr/local/src (if it doesn't already exist)
> cd /usr/local/src
> wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz (grabs
> latest version of source 0.37)
> tar -xzf chkrootkit.tar.gz
> cd chkrootkit-0.37
> make sense
> cd ..
> mv chkrootkit-0.37 /usr/local/
> chown -R root:root /usr/local/chkrootkit-0.37
>
>
> To run:-
> --------
>
> cd /usr/local/chkrootkit-0.37
> ./chkrootkit
>
>
> To run automatically each day:-
> -------------------------------
>
> Edit /etc/crontab with the text editor of your choice (emacs / pico /
vi
> / etc..) and add following to it:-
>
> # Run chkrootkit-0.37 daily at 6.30am and email output to root.
> 30 6 * * * root (cd /usr/local/chkrootkit-0.37; ./chkrootkit 2>&1 |
mail
> -s "chkrootkit output" root)
>
> Now restart the cron daemon:-
>
> /etc/rc.d/init.d/crond restart
>
> and you should now recieve an email to root each day at 6.30 am.
>
>
> Hope this helps,
> Steven Young
>
>
>
>
>
> --__--__--
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>
> End of cobalt-security Digest