[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] chkrootkit says passwd infected... now what?

Subject: [cobalt-security] chkrootkit says passwd infected... now what?
From: Dan Keller <cobalt@xxxxxxxxxx>
Date: Tue, 24 Dec 2002 16:12:23 -0800
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Dear Cobalt Gurus,

I compiled and ran chkrootkit.  It came up clean
except for:

passwd... INFECTED

Yeow!  I assume it means /bin/passwd and that
my next step is to compare the existing binary
with the one in the OS restore (are these assumptions
correct?)

My machine is a RaQ2.  The OS restore file which
I have obtained from the Cobalt site is named
960-RAQ20101AU[1].iso and it's approx 220 megs.

How do I extract from it the /bin/password binary
in order to compare it to the (possibly hacked?)
/bin/password binary currently on my system?

I have no idea how a hacker might have gotten in
nor have I seen evidence of damage to the system
nor strange log entries, etc.  Nonetheless, I'd rather
be safe than sorry!

TIA for any pearls of wisdom you can share!

Dan Keller
cobalt@xxxxxxxxxx
415/861-4500

Follow-Ups:
- Re: [cobalt-security] chkrootkit says passwd infected... now what?
  - From: Gerald Waugh
- Re: [cobalt-security] chkrootkit says passwd infected... now what?
  - From: Eugene Crosser

Prev by Date: [cobalt-security] Peter Kuppelwieser/ROL/RAIFF ist außer Haus.
Next by Date: Re: [cobalt-security] chkrootkit says passwd infected... now what?
Previous by thread: [cobalt-security] Peter Kuppelwieser/ROL/RAIFF ist außer Haus.
Next by thread: Re: [cobalt-security] chkrootkit says passwd infected... now what?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index