[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] chkrootkit says passwd infected... now what?

Subject: Re: [cobalt-security] chkrootkit says passwd infected... now what?
From: Eugene Crosser <crosser@xxxxxxxxxxx>
Date: 25 Dec 2002 11:29:30 +0300
Organization:
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Wed, 2002-12-25 at 03:12, Dan Keller wrote:
> Dear Cobalt Gurus,
> 
> I compiled and ran chkrootkit.  It came up clean
> except for:
> 
> passwd... INFECTED
> 
> Yeow!  I assume it means /bin/passwd and that
> my next step is to compare the existing binary
> with the one in the OS restore (are these assumptions
> correct?)
> 
> My machine is a RaQ2.  The OS restore file which
> I have obtained from the Cobalt site is named
> 960-RAQ20101AU[1].iso and it's approx 220 megs.
> 
> How do I extract from it the /bin/password binary
> in order to compare it to the (possibly hacked?)
> /bin/password binary currently on my system?
> 
> I have no idea how a hacker might have gotten in
> nor have I seen evidence of damage to the system
> nor strange log entries, etc.  Nonetheless, I'd rather
> be safe than sorry!
> 
> TIA for any pearls of wisdom you can share!

http://list.cobalt.com/pipermail/cobalt-security/2002-October/006533.html

Eugene

References:
- [cobalt-security] chkrootkit says passwd infected... now what?
  - From: Dan Keller

Prev by Date: Re: [cobalt-security] chkrootkit says passwd infected... now what?
Next by Date: [cobalt-security] raq3 to 550 osrcd
Previous by thread: Re: [cobalt-security] chkrootkit says passwd infected... now what?
Next by thread: [cobalt-security] raq3 to 550 osrcd

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index