[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Chkrootkit - possible slapper worm
- Subject: Re: [cobalt-users] Chkrootkit - possible slapper worm
- From: "Andy Clyde, oxfordmusic.net" <cobalt-users@xxxxxxxxxxxxxxx>
- Date: Mon May 19 04:51:09 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
>
> I don't know. I'd be happier if I knew why you got the warning in the
> first place. If you did have a slapper worm, at this point you've
> probably deleted the binary. At worst it's hanging around in memory.
> You might want to check ps or reboot the box.
>
any tips on how i might find out why this warning is occurring (i'm still
getting in periodically, say 1 in every 3 runs of chkrootkit)?
the only file i can find which looks like one of slapper's is /sbin/update
but this has the same timestamp and file size as the same file on another of
my RaQ4s.
netstat -an does reveal something listening on port 4156 (Slapper.c uses
this port) but it seems to be an ASP thing.
tcp 0 0 127.0.0.1:3001 127.0.0.1:4156 ESTABLISHED
tcp 0 0 127.0.0.1:4156 127.0.0.1:3001 ESTABLISHED
how do i view the chkrootkit binary to find out what it's looking for for
Slapper?
andy