On Tuesday 24 December 2002 19:12, Dan Keller wrote: > Dear Cobalt Gurus, > > I compiled and ran chkrootkit. It came up clean > except for: > > passwd... INFECTED > > Yeow! I assume it means /bin/passwd and that > my next step is to compare the existing binary > with the one in the OS restore (are these assumptions > correct?) > > My machine is a RaQ2. The OS restore file which > I have obtained from the Cobalt site is named > 960-RAQ20101AU[1].iso and it's approx 220 megs. > > How do I extract from it the /bin/password binary > in order to compare it to the (possibly hacked?) > /bin/password binary currently on my system? > It isn't /bin/passwd! getting it off the OSRCD is a little complicated; Try this; [root /root]# md5sum /usr/bin/passwd 0bbe46a45ee813b9aa94ef9a296cb723 /usr/bin/passwd
Gerald -- http://frontstreetnetworks.com http://raqware.com Front Street Networks LLC | Phone: 203-785-0699 229 Front Street, Ste C, New Haven, CT 06513-3203 _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
