Simon Wilson wrote: > We already run chkrootkit on a daily basis using cron (your advice I > believe) and it is reporting nothing unusual.
...then tripwire is reporting something completely different. > I ran a netstat on the machine, nothing unusual. Good, although you can't trust a binary on a mchine you think has been compromised. At a rough guess, tripwire is complaining that either dates or permissions have changed. Have you run something which 'hardens' the RaQ by locking down certain binaries? Or have you recently installed a wrapped-up Cobalt system update? Or alternatively; have a dig through /root/.bash_history for 'chmod -R'. Possibly someone accidentally ran it whilst sitting in / - I have, sadly, done this myself before. That time though I totally blew the machine away :( I'd be more worried if it was only specific files, but that fact that everything in a bagload of dirs has been modified signifies one (or more) of: a dropped bollock by an administrator a script error a (bad?) Cobalt update an extremely wide-ranging rootkit an extremely talented cracker Graeme -- Graeme Fowler System Administrator Host Europe Group PLC _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
