[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] [RaQ3] Infected files after patching

Subject: Re: [cobalt-users] [RaQ3] Infected files after patching
From: Glen Scott <glen@xxxxxxxxxxxxxxxxxxxx>
Date: Sun Sep 2 18:01:14 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

I am running chkrootkit-0.22 as a cron job every day. Yesterday, I installed
a number of patches on a RaQ3, including the kernel update. Today,
chkrootkit reports the following:

Checking `du'... INFECTED
Checking `ls'... INFECTED
Checking `ps'... INFECTED
Checking `bindshell'... INFECTED (PORTS:  1524 12321)

Everything else is reported as being "not vulnerable". The commands above
were not infected yesterday.

Am I hacked, or could this be erronous reporting due to the kernel update?
e.g. would chkrootkit cry out if some commands change their timestamps?

Not sure, but for your information, there is a newer version ofchkrootkit- v0.33- which I suggest you install:


http://www.chkrootkit.org/

Regards,

Glen Scott

--
---
  Design Solution Limited
  t: +44 (0)1502 513008
  f: +44 (0)1502 588622
  e: info@xxxxxxxxxxxxxxxxxxxx
  w: http://www.designsolution.co.uk
  Nouvotech House, Harbour Road,
  Oulton Broad, Suffolk, NR32 3LZ, UK
---
DS Knowledge Base http://faq.dessol.co.uk

References:
- [cobalt-users] [RaQ3] Infected files after patching
  - From: Per M Knutsen

Prev by Date: Re: [cobalt-users] [RaQ3] Cannot turn of POP Before SMTP Relaying
Next by Date: RE: [cobalt-users] Very slow FTP uploads
Previous by thread: [cobalt-users] [RaQ3] Infected files after patching
Next by thread: Re: [cobalt-users] [RaQ3] Infected files after patching

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index