[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] chkrootkit says passwd infected... now what?
- Subject: Re: [cobalt-security] chkrootkit says passwd infected... now what?
- From: Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 24 Dec 2002 20:25:30 -0500
- Organization: Front Street Networks LLC
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Tuesday 24 December 2002 19:12, Dan Keller wrote:
> Dear Cobalt Gurus,
>
> I compiled and ran chkrootkit. It came up clean
> except for:
>
> passwd... INFECTED
>
> Yeow! I assume it means /bin/passwd and that
> my next step is to compare the existing binary
> with the one in the OS restore (are these assumptions
> correct?)
>
> My machine is a RaQ2. The OS restore file which
> I have obtained from the Cobalt site is named
> 960-RAQ20101AU[1].iso and it's approx 220 megs.
>
> How do I extract from it the /bin/password binary
> in order to compare it to the (possibly hacked?)
> /bin/password binary currently on my system?
>
It isn't /bin/passwd!
getting it off the OSRCD is a little complicated;
Try this;
[root /root]# md5sum /usr/bin/passwd
0bbe46a45ee813b9aa94ef9a296cb723 /usr/bin/passwd
Gerald
--
http://frontstreetnetworks.com http://raqware.com
Front Street Networks LLC | Phone: 203-785-0699
229 Front Street, Ste C, New Haven, CT 06513-3203