[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] chkrootkit-0.38/RaQ4

Subject: Re: [cobalt-users] chkrootkit-0.38/RaQ4
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Wed Jan 15 15:26:15 2003
Organization: Befriend Internet Services LLC
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

"B. Runge" <brunge@xxxxxxxxxxx> wrote:
> Checking `lkm'... You have     2 process hidden for readdir command
> You have     2 process hidden for ps command
> Warning: Possible LKM Trojan installed

Definitely a bad sign.  It could be a false positive so run several times
over a few minute period and if it's reported all times then it's likely the
result of a trojan.  I'd also run lsof to see what's running and
netstat -tupan to check for open ports and verify binaries like ps, ls,
netstat, kill, md5sum, etc. by doing an md5sum and comparing to known clean
binaries.  You can grab them from the Cobalt FTP site.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

References:
- [cobalt-users] chkrootkit-0.38/RaQ4
  - From: B. Runge

Prev by Date: Re: [cobalt-users] RaQ3 - Email problem false user unknown error
Next by Date: Re: [cobalt-users] OpenWebmail 1.81 PKG, uninstal 1.71 pkg first??
Previous by thread: [cobalt-users] chkrootkit-0.38/RaQ4
Next by thread: [cobalt-users] using the same passwords for everything

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index