Dear Cobalt Gurus, I compiled and ran chkrootkit. It came up clean except for:
passwd... INFECTED Yeow! I assume it means /bin/passwd and that my next step is to compare the existing binary with the one in the OS restore (are these assumptions correct?) My machine is a RaQ2. The OS restore file which I have obtained from the Cobalt site is named 960-RAQ20101AU[1].iso and it's approx 220 megs. How do I extract from it the /bin/password binary in order to compare it to the (possibly hacked?) /bin/password binary currently on my system? I have no idea how a hacker might have gotten in nor have I seen evidence of damage to the system nor strange log entries, etc. Nonetheless, I'd rather be safe than sorry! TIA for any pearls of wisdom you can share! Dan Keller [EMAIL PROTECTED] 415/861-4500 _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
