[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] chkrootkit output show possible ambient
- Subject: Re: [cobalt-users] chkrootkit output show possible ambient
- From: Richard Siddall <cobalt@xxxxxxxxxxx>
- Date: Wed Nov 20 08:53:35 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
"alan@" wrote:
>
> Thanks Richard,
> This is a fresh install on a clients server. Last week "somebody" changed
> the admin password. I got the co-lo to change it back but we still don't
> know why/how it was changed.
> So I have begun investigations ! ( I only gained this client when the
> password locked them out !!)
>
> I have been researching a little through the archives, and am considering
> whether to go through the suggestions in this posting :
> http://list.cobalt.com/pipermail/cobalt-users/2002-November/081008.html
>
> I have deleted /usr/lib/.ark? but I am not sure about the posters
> instruction to delete /dev/ptyxx
> ( is ptyxx pty with 2 wildcards or an actual file ptyxx ? )
>
I don't know. I just took a look at /dev/pty* on a RaQ 4 and it looks
like there should not be a /dev/ptyxx.
Perhaps Steve Werby can clarify this.
> I guess, what I am trying to get away with, is not to have to wipe the disk
> and start again.
>
I've always wiped the disk.
> Any body want to lay odds ? :-(
>
> Thanks
>
> Alan
>
Richard.