Michael Stauber wrote: > > On one customer system chkrootkit is reporting "amd" and "syslogd" are > > both infected. > > This could be the LRK4 rootkit - among others: > > http://project.honeynet.org/challenge/results/submissions/addam/toolkit.txt > > However, if so, then CHKrootkit should find and identify it correctly, if I'm > not mistaken.
Thanks for the info. The customer has decided he'll do whatever he does on his own. I hope he does something. > Jeff, I gather you're quite experienced in regards to Cobalts. > > Did you recently stumble across any RaQ3 or RaQ4 which had /etc/shadow set to > -r--------? > > Just today I had the third RaQ with the same signs and indications and I've > heard about two others with the same issue. Yes, but mine were okay; I could still read/write them as root. Jeff -- Jeff Lasman <[EMAIL PROTECTED]> Linux and Cobalt/Sun/RaQ Consulting nobaloney.net P. O. Box 52672, Riverside, CA 92517 voice: (909) 778-9980 * fax: (702) 548-9484 _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
