Greetings, About a week ago a server was compromised and we had it restored by data center staff. Within hours of the OS restore, a security package including chkrootkit was re-installed on the box. Since the restore, chkrootkit has continued to report:
Checking `wted'... 1 deletion(s) between Fri Dec 20 11:19:43 2002 and Tue Dec 24 13:48:10 2002 5 deletion(s) between Tue Dec 24 13:48:10 2002 and Tue Dec 24 13:52:40 2002 nothing deleted No other anomalies have been seen in chkrootkit or otherwise. I don't understand these dates. Since the box was just restored in May, I don't understand why chkrootkit is reporting wted changes of last December. And FWIW, before the restore, there were no chkrootkit reports of such problems around the Dec 20-24 dates in question. Also, regarding the restore, IIRC I think for the sake of speed the data center may use "pre-restored" hard disks that are swapped in upon an OS restore request. Not sure if this was actually the case, or whether the restore was from a CD. Can this indicate that the box is still insecure or questionable? Any opinions or suggestions very much appreciated. Thanks, Lew _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
