Hi, Prob i did not install it properly. Searching for LPD Worm files and dirs... Possible LPD worm installed Checking `sniffer'... eth0 is not promisc
also, i see the following entry in /etc/shadow [root chkrootkit-pre-0.36]# cat /etc/passwd |grep pcap pcap:x:77:77::/var/arpwatch:/sbin/nologin [root chkrootkit-pre-0.36]# cd ~pcap sh: /var/arpwatch: No such file or directory i dont see port 666 open and, also i dont see the entry in inetd.conf/services. Kindly advise Regards, Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Burton Sent: Saturday, June 29, 2002 7:46 PM To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] Some assistance needed > I have d/l the latest version of chkrootkit. > Seems like my system has been comprimised. > Searching for LPD Worm files and dirs... Possible LPD worm installed > Checking `lkm'... not tested: can't exec ./chkproc > Checking `sniffer'... not tested: can't exec ./ifpromisc > Checking `wted'... not tested: can't exec ./chkwtmp > Checking `z2'... not tested: can't exec ./chklastlog > Firstly read the instructions for chkrootkit, you missed the bit under installation then re-run it. After that see what the script does .. and see what it is triping out on.. Taking a quick look at the script it checks for: A username in /etc/passwd starting with "kork" and/or a service listed in /etc/inetd.conf on port 666 (or one starting with 666), if you have these and they wasnt put there from you then you may have a problem. ChrisB. -- http://ChrisBurton.info/ http://www.tyneside.lug.org.uk/ _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
