Chkrootkit still reports
[root chkrootkit-0.37]# ./chkrootkit | grep INFECTED
Checking `passwd'... INFECTED
The md5sum of my /usr/bin/passwd is
0bbe46a45ee813b9aa94ef9a296cb723
Id be grateful if someone could compare this with another raq2
Thanks,
Julian
-----Original Message-----
From: Andy Brown [mailto:[EMAIL PROTECTED]]
Sent: 07 October 2002 13:35
To: [EMAIL PROTECTED]
Subject: RE: [cobalt-security] Is this suspicious?
<snip>
Checking `passwd'... INFECTED
</snip>
Not sure if anybody else noticed this, so thought i'd highlight it.
This is slightly unusual, the chkroot details say anything showing as INFECTED generally means the binary has been modified, probably by a trojan.
Unfortunately I don't have a RaQ2 myself, so can't check, but best is to do an md5sum on the file: md5sum /usr/bin/passwd then compare the output to somebody else's machine.
You *could* have somebody in the system. Have you run chkrootkit again just to make sure it wasn't a false alarm?
Regards,
Andy
[EMAIL PROTECTED]
http://www.raqpak.com/ <-- Raq/Qube unofficial PKGs and support advice
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________
