[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Chkrootkit - possible slapper worm
- Subject: Re: [cobalt-users] Chkrootkit - possible slapper worm
- From: "Pete Smith" <lists@xxxxxxxxxxxx>
- Date: Mon May 19 07:46:01 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
> >
> > I don't know. I'd be happier if I knew why you got the warning in the
> > first place. If you did have a slapper worm, at this point you've
> > probably deleted the binary. At worst it's hanging around in memory.
> > You might want to check ps or reboot the box.
> >
>
> any tips on how i might find out why this warning is occurring (i'm still
> getting in periodically, say 1 in every 3 runs of chkrootkit)?
>
> the only file i can find which looks like one of slapper's is /sbin/update
> but this has the same timestamp and file size as the same file on
> another of my RaQ4s. netstat -an does reveal something listening on
> port 4156 (Slapper.c uses this port) but it seems to be an ASP thing.
>
> tcp 0 0 127.0.0.1:3001 127.0.0.1:4156 ESTABLISHED
> tcp 0 0 127.0.0.1:4156 127.0.0.1:3001 ESTABLISHED
>
> how do i view the chkrootkit binary to find out what it's looking
> for for Slapper?
try the list at chkrootkit.org
PeTe :)
--
Kush-T Web Services (http://www.kush-t.co.uk)