[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] chkrootkit output show possible ambient

Subject: Re: [cobalt-users] chkrootkit output show possible ambient
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Wed Nov 20 09:14:03 2002
Organization: Befriend Internet Services LLC
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

"Richard Siddall" <cobalt@xxxxxxxxxxx> wrote:
> "alan@" wrote:
> >
> > Hi again,
> >
> > I have checked out the filestamps on traceroute and netstat and they
both
> > have the same stamp as every other (un-updated) file on the server, ie
June
> > 20 2000, so I think they are probably ok.
> >
>
> It's easy to fake timestamps.  You'd be better off comparing the size
> and MD5 sum against a known good copy.

And if Alan is checking with ls from /bin/ls all bets are off.  IIRC that's
one of the programs the rootkit replaces.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

References:
- [cobalt-users] chkrootkit output show possible ambient
  - From: alan@
- Re: [cobalt-users] chkrootkit output show possible ambient
  - From: Richard Siddall
- Re: [cobalt-users] chkrootkit output show possible ambient
  - From: alan@
- Re: [cobalt-users] chkrootkit output show possible ambient
  - From: alan@
- Re: [cobalt-users] chkrootkit output show possible ambient
  - From: Richard Siddall

Prev by Date: Re: [cobalt-users] chkrootkit output show possible ambient
Next by Date: Re: [cobalt-users] Backup E-mail service on raq4
Previous by thread: Re: [cobalt-users] chkrootkit output show possible ambient
Next by thread: Re: [cobalt-users] chkrootkit output show possible ambient

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index