[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] chkrootkit says passwd infected... now what?

Subject: Re: [cobalt-security] chkrootkit says passwd infected... now what?
From: Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Dec 2002 20:25:30 -0500
Organization: Front Street Networks LLC
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Tuesday 24 December 2002 19:12, Dan Keller wrote:
> Dear Cobalt Gurus,
>
> I compiled and ran chkrootkit.  It came up clean
> except for:
>
> passwd... INFECTED
>
> Yeow!  I assume it means /bin/passwd and that
> my next step is to compare the existing binary
> with the one in the OS restore (are these assumptions
> correct?)
>
> My machine is a RaQ2.  The OS restore file which
> I have obtained from the Cobalt site is named
> 960-RAQ20101AU[1].iso and it's approx 220 megs.
>
> How do I extract from it the /bin/password binary
> in order to compare it to the (possibly hacked?)
> /bin/password binary currently on my system?
>
It isn't /bin/passwd!
getting it off the OSRCD is a little complicated;
Try this;
[root /root]# md5sum /usr/bin/passwd
0bbe46a45ee813b9aa94ef9a296cb723  /usr/bin/passwd

Gerald
-- 
http://frontstreetnetworks.com         http://raqware.com
Front Street Networks LLC   |  Phone: 203-785-0699
229 Front Street, Ste C, New Haven, CT 06513-3203

References:
- [cobalt-security] chkrootkit says passwd infected... now what?
  - From: Dan Keller

Prev by Date: [cobalt-security] chkrootkit says passwd infected... now what?
Next by Date: Re: [cobalt-security] chkrootkit says passwd infected... now what?
Previous by thread: [cobalt-security] chkrootkit says passwd infected... now what?
Next by thread: Re: [cobalt-security] chkrootkit says passwd infected... now what?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index