> [root chkrootkit-pre-0.36]# cat /etc/passwd |grep pcap > pcap:x:77:77::/var/arpwatch:/sbin/nologin > [root chkrootkit-pre-0.36]# cd ~pcap > sh: /var/arpwatch: No such file or directory >
My guess would be you installed the tcpdump package.. and if you check in /var/log/messages you should see a correlation between the time you installed tcpdump, and the account creation. grep "new user: name=pcap" /var/log/messages grep "Installing tcpdump-3.6.2-10.7x.i386.rpm" /var/cobalt/adm.log The lines returned from these should show a similar timestamp. But I would continue to check for the kork user. ChrisB. -- http://ChrisBurton.info/ http://www.tyneside.lug.org.uk/ _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
