[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Post-restore chkrootkit reports
- Subject: Re: [cobalt-security] Post-restore chkrootkit reports
- From: Lew Mark-Andrews <lew.ml@xxxxxxxxxxxxx>
- Date: Sun, 1 Jun 2003 02:53:55 +0900
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Michael,
Thank you for responding.
>Hmm ... I'd guess that they either used a hardisk with the OS already on it,
>or they assigned you a RaQ which had been sitting around idly for some time.
>Which could be a problem because it might have been missing patches and was
>unmanaged and unmonitored. That's always a fishy combination.
>
>It's easy to check the OS restore date, though:
>
>#> ls -la /etc/build
>-rw-r--r-- 1 root root 33 May 27 00:18 /etc/build
>
>So the box used in this example was OS restored on May 27th.
The above returned the following on this server:
ls -la /etc/build
-rw-r--r-- 1 root root 32 Sep 26 2002 /etc/build
FWIW, the same date also appears for the restore on another server that we
had restored a few days after this one (no such wted reports from
chkrootkit on that server, though). Also, after the OS restores both boxes
had been patched by the data center up to the
RaQ-All-Security-2.0.1-16306.pkg (Pine & File Security Update 2.0.1) of
April 21, 2003. I did the most recent patches myself.
In this light, should I still be concerned about the chkrootkit reports of
wted deletions in December 2002 on this one box?
Thanks!
Lew