[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] chkrootkit output show possible ambient
- Subject: Re: [cobalt-users] chkrootkit output show possible ambient
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Wed Nov 20 09:12:46 2002
- Organization: Befriend Internet Services LLC
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
"Richard Siddall" <cobalt@xxxxxxxxxxx> wrote:
> > I have deleted /usr/lib/.ark? but I am not sure about the posters
> > instruction to delete /dev/ptyxx
> > ( is ptyxx pty with 2 wildcards or an actual file ptyxx ? )
> >
>
> I don't know. I just took a look at /dev/pty* on a RaQ 4 and it looks
> like there should not be a /dev/ptyxx.
>
> Perhaps Steve Werby can clarify this.
Correct. I just checked several RaQ4s and they were all consistent when the
following programs was run. The Ambient rootkit hides some of its files in
/dev/ptyxx because most wouldn't look there and even if you did the name
wouldn't jump out given it's similar to those below.
[root /root]# ls -al /dev/ptyx*
crw-rw-rw- 1 root tty 2, 128 May 5 1998 /dev/ptyx0
crw-rw-rw- 1 root tty 2, 129 May 5 1998 /dev/ptyx1
crw-rw-rw- 1 root tty 2, 130 May 5 1998 /dev/ptyx2
crw-rw-rw- 1 root tty 2, 131 May 5 1998 /dev/ptyx3
crw-rw-rw- 1 root tty 2, 132 May 5 1998 /dev/ptyx4
crw-rw-rw- 1 root tty 2, 133 May 5 1998 /dev/ptyx5
crw-rw-rw- 1 root tty 2, 134 May 5 1998 /dev/ptyx6
crw-rw-rw- 1 root tty 2, 135 May 5 1998 /dev/ptyx7
crw-rw-rw- 1 root tty 2, 136 May 5 1998 /dev/ptyx8
crw-rw-rw- 1 root tty 2, 137 May 5 1998 /dev/ptyx9
crw-rw-rw- 1 root tty 2, 138 May 5 1998 /dev/ptyxa
crw-rw-rw- 1 root tty 2, 139 May 5 1998 /dev/ptyxb
crw-rw-rw- 1 root tty 2, 140 May 5 1998 /dev/ptyxc
crw-rw-rw- 1 root tty 2, 141 May 5 1998 /dev/ptyxd
crw-rw-rw- 1 root tty 2, 142 May 5 1998 /dev/ptyxe
crw-rw-rw- 1 root tty 2, 143 May 5 1998 /dev/ptyxf
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/