[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] chkrootkit says passwd infected... now what?
- Subject: Re: [cobalt-security] chkrootkit says passwd infected... now what?
- From: Eugene Crosser <crosser@xxxxxxxxxxx>
- Date: 25 Dec 2002 11:29:30 +0300
- Organization:
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Wed, 2002-12-25 at 03:12, Dan Keller wrote:
> Dear Cobalt Gurus,
>
> I compiled and ran chkrootkit. It came up clean
> except for:
>
> passwd... INFECTED
>
> Yeow! I assume it means /bin/passwd and that
> my next step is to compare the existing binary
> with the one in the OS restore (are these assumptions
> correct?)
>
> My machine is a RaQ2. The OS restore file which
> I have obtained from the Cobalt site is named
> 960-RAQ20101AU[1].iso and it's approx 220 megs.
>
> How do I extract from it the /bin/password binary
> in order to compare it to the (possibly hacked?)
> /bin/password binary currently on my system?
>
> I have no idea how a hacker might have gotten in
> nor have I seen evidence of damage to the system
> nor strange log entries, etc. Nonetheless, I'd rather
> be safe than sorry!
>
> TIA for any pearls of wisdom you can share!
http://list.cobalt.com/pipermail/cobalt-security/2002-October/006533.html
Eugene