[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Post-restore chkrootkit reports

Subject: [cobalt-security] Post-restore chkrootkit reports
From: Lew Mark-Andrews <lew.ml@xxxxxxxxxxxxx>
Date: Sun, 1 Jun 2003 01:47:50 +0900
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Greetings,

About a week ago a server was compromised and we had it restored by data
center staff. Within hours of the OS restore, a security package including
chkrootkit was re-installed on the box. Since the restore, chkrootkit has
continued to report:

Checking `wted'... 1 deletion(s) between Fri Dec 20 11:19:43 2002 and Tue
Dec 24 13:48:10 2002
5 deletion(s) between Tue Dec 24 13:48:10 2002 and Tue Dec 24 13:52:40 2002
nothing deleted

No other anomalies have been seen in chkrootkit or otherwise. I don't
understand these dates. Since the box was just restored in May, I don't
understand why chkrootkit is reporting wted changes of last December. And
FWIW, before the restore, there were no chkrootkit reports of such problems
around the Dec 20-24 dates in question. Also, regarding the restore, IIRC I
think for the sake of speed the data center may use "pre-restored" hard
disks that are swapped in upon an OS restore request. Not sure if this was
actually the case, or whether the restore was from a CD.

Can this indicate that the box is still insecure or questionable?
Any opinions or suggestions very much appreciated.

Thanks,
Lew

Follow-Ups:
- Re: [cobalt-security] Post-restore chkrootkit reports
  - From: Michael Stauber

Prev by Date: RE: [cobalt-security] XTR Update 16343 kills ASP Service
Next by Date: Re: [cobalt-security] Post-restore chkrootkit reports
Previous by thread: [cobalt-security] Re: chkrootkit entry??
Next by thread: Re: [cobalt-security] Post-restore chkrootkit reports

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index