[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] [RaQ3] Infected files after patching

Subject: [cobalt-users] [RaQ3] Infected files after patching
From: "Per M Knutsen" <per.knutsen@xxxxxxxxxxxxxx>
Date: Sat Sep 1 19:14:02 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

I am running chkrootkit-0.22 as a cron job every day. Yesterday, I installed
a number of patches on a RaQ3, including the kernel update. Today,
chkrootkit reports the following:

Checking `du'... INFECTED
Checking `ls'... INFECTED
Checking `ps'... INFECTED
Checking `bindshell'... INFECTED (PORTS:  1524 12321)

Everything else is reported as being "not vulnerable". The commands above
were not infected yesterday.

Am I hacked, or could this be erronous reporting due to the kernel update?
e.g. would chkrootkit cry out if some commands change their timestamps?


Per M Knutsen
http://nethut.no/~pknutsen

Follow-Ups:
- Re: [cobalt-users] [RaQ3] Infected files after patching
  - From: Glen Scott
- Re: [cobalt-users] [RaQ3] Infected files after patching
  - From: Carrie Bartkowiak

Prev by Date: Re: [cobalt-users] secure admin cert & images/connections?
Next by Date: Re: [cobalt-users] Books
Previous by thread: Re: [cobalt-users] secure admin cert & images/connections?
Next by thread: Re: [cobalt-users] [RaQ3] Infected files after patching

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index