[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Chkrootkit - possible slapper worm

Subject: Re: [cobalt-users] Chkrootkit - possible slapper worm
From: Richard Siddall <cobalt@xxxxxxxxxxx>
Date: Fri May 9 15:47:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Andy Clyde, oxfordmusic.net wrote:

[raQ4]
i have just started getting the possible slapper worm message via
chkrootkit. i have run chkrootkit 4 or 5 times and it still comes up. i have
deleted just about everything from /tmp and still i get this message.

[snip]


i have checked for .bugtraq files and cannot find any.

am i infected or is there something i have missed?

cheers

andy

You can get a false positive if you're running a RADIUS server thatbinds to all IP addresses. Take a look at the chkrootkit source, especially

   SLAPPER_PORT="0.0:2002 0.0|:4156 0.0|:1978 |0.0:1812 |0.0:2015 "


Are you running anything on those ports?

Regards,

	Richard.

Follow-Ups:
- Re: [cobalt-users] Chkrootkit - possible slapper worm
  - From: Andy Clyde, oxfordmusic.net

References:
- [cobalt-users] Chkrootkit - possible slapper worm
  - From: Andy Clyde, oxfordmusic.net

Prev by Date: RE: [cobalt-users] shutdown firewall
Next by Date: Re: [cobalt-users] Why does our XTR rebuild mirrored disk almost every time we reboo t?
Previous by thread: [cobalt-users] Chkrootkit - possible slapper worm
Next by thread: Re: [cobalt-users] Chkrootkit - possible slapper worm

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index