Steve, Well done. The instructions were perfect. I am now 99% sure that my server was not compromised, given what I learned about interpreting the responses from chkrootkit. Being a Linux newbie, my education continues, yet I would hope that those who use this forum would admonish Sun Cobalt to make utilities like this readily available and provide instructions as to there use. As a new user I should mot be relegated to hunt for these types of utilities after hours of reading? These are things that should be more obvious.
Again, Thank you Stefan > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:cobalt-security- > [EMAIL PROTECTED]] On Behalf Of cobalt-security- > [EMAIL PROTECTED] > Sent: Friday, November 29, 2002 3:00 PM > To: [EMAIL PROTECTED] > Subject: cobalt-security digest, Vol 1 #997 - 3 msgs > > Send cobalt-security mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://list.cobalt.com/mailman/listinfo/cobalt-security > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of cobalt-security digest..." > > > Today's Topics: > > 1. Apache .bugtrac (Ja) > 2. How to install chkrootkit (Stefan Jones) > 3. RE: How to install chkrootkit (Steven Young) > > --__--__-- > > Message: 1 > From: "Ja" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Date: Fri, 29 Nov 2002 10:44:53 -0000 > Subject: [cobalt-security] Apache .bugtrac > Reply-To: [EMAIL PROTECTED] > > Hello > > Did patch RaQ3-All-Security-4.0.1-1-15787.pkg resolve the .bugtrac & > /usr/lib/authenticate exploits? I would like to use the SSL > port again which is currently 'firewalled off' > > Thanks > > Jon > > > > --__--__-- > > Message: 2 > From: "Stefan Jones" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Date: Fri, 29 Nov 2002 12:26:20 -0500 > Organization: Wynn Consulting > Subject: [cobalt-security] How to install chkrootkit > Reply-To: [EMAIL PROTECTED] > > I think I have acquired a copy of chkrootkit. But I am unaware of the > best way to install this software on a Sun Cobalt Qube 3 Professional. > It was downloaded from http://www.chkrootkit.com/#related_links but > does not appear to be the typical pkg that I can run the install > manually on. Any help would be appreciated, I am somewhat of a Linux > newbie. And seriously interested in the enhanced security monitoring > capabilities that chkrootkit can offer. > > Stefan Wynn Jones > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:cobalt-security- > > [EMAIL PROTECTED]] On Behalf Of cobalt-security- > > [EMAIL PROTECTED] > > Sent: Thursday, November 28, 2002 3:00 PM > > To: [EMAIL PROTECTED] > > Subject: cobalt-security digest, Vol 1 #996 - 1 msg > > > > Send cobalt-security mailing list submissions to > > [EMAIL PROTECTED] > > > > To subscribe or unsubscribe via the World Wide Web, visit > > http://list.cobalt.com/mailman/listinfo/cobalt-security > > or, via email, send a message with subject or body 'help' to > > [EMAIL PROTECTED] > > > > You can reach the person managing the list at > > [EMAIL PROTECTED] > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of cobalt-security digest..." > > > > > > Today's Topics: > > > > 1. Re: CROND (John 'JAYTEE' Tompkins) > > > > -- __--__-- > > > > Message: 1 > > Date: Thu, 28 Nov 2002 16:52:05 +1100 > > Subject: Re: [cobalt-security] CROND > > From: "John 'JAYTEE' Tompkins" <[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > > Reply-To: [EMAIL PROTECTED] > > > > Tom, > > On Our RAQ3, CROND appears as a process when monitor.pl executes on > the > > quarter hour > > All ways has... > > > > JAYTEE > > > > On Wednesday, November 27, 2002, at 09:12 AM, Skyhound Internet > wrote: > > > > > I have a process running on one of my Raq4's called CROND. Not to > be > > > mistaken with crond. > > > > > > root 4180 0.0 0.1 1156 536 ? S 14:09 0:00 CROND > > > > > > I am unaware of what this process is. The latest chkrootkit shows no > > > hacks. > > > > > > A reboot of the machine cleared it out but it came back again the > next > > > day. > > > > > > Any ideas of what this might be? > > > > > > Thanks > > > > > > Tom > > > > > > _______________________________________ > > > Skyhound Internet > > > Long Beach CA > > > > > > _______________________________________________ > > > cobalt-security mailing list > > > [EMAIL PROTECTED] > > > http://list.cobalt.com/mailman/listinfo/cobalt-security > > > > > > > > > > > -- __--__-- > > > > _______________________________________________ > > cobalt-security mailing list > > [EMAIL PROTECTED] > > http://list.cobalt.com/mailman/listinfo/cobalt-security > > > > > > End of cobalt-security Digest > > > > --__--__-- > > Message: 3 > From: "Steven Young" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: RE: [cobalt-security] How to install chkrootkit > Date: Fri, 29 Nov 2002 17:40:53 -0000 > Reply-To: [EMAIL PROTECTED] > > > I think I have acquired a copy of chkrootkit. But I am > > unaware of the best way to install this software on a Sun > > Cobalt Qube 3 Professional. It was downloaded from > > http://www.chkrootkit.com/#related_links but does not appear > > to be the typical pkg that I can run the install manually on. > > Any help would be appreciated, I am somewhat of a Linux > > newbie. And seriously interested in the enhanced security > > monitoring capabilities that chkrootkit can offer. > > > > Stefan Wynn Jones > > chkrootkit is nice and easy to install and setup from source. I did the > following on a RaQ3 but I'm sure you can follow the following on a Qube > too. > > SSH to your Qube and SU - to root > > To install:- > ------------ > > mkdir /usr/local/src (if it doesn't already exist) > cd /usr/local/src > wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz (grabs > latest version of source 0.37) > tar -xzf chkrootkit.tar.gz > cd chkrootkit-0.37 > make sense > cd .. > mv chkrootkit-0.37 /usr/local/ > chown -R root:root /usr/local/chkrootkit-0.37 > > > To run:- > -------- > > cd /usr/local/chkrootkit-0.37 > ./chkrootkit > > > To run automatically each day:- > ------------------------------- > > Edit /etc/crontab with the text editor of your choice (emacs / pico / vi > / etc..) and add following to it:- > > # Run chkrootkit-0.37 daily at 6.30am and email output to root. > 30 6 * * * root (cd /usr/local/chkrootkit-0.37; ./chkrootkit 2>&1 | mail > -s "chkrootkit output" root) > > Now restart the cron daemon:- > > /etc/rc.d/init.d/crond restart > > and you should now recieve an email to root each day at 6.30 am. > > > Hope this helps, > Steven Young > > > > > > --__--__-- > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > > > End of cobalt-security Digest _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
