On Wed, 2002-12-25 at 03:12, Dan Keller wrote: > Dear Cobalt Gurus, > > I compiled and ran chkrootkit. It came up clean > except for: > > passwd... INFECTED > > Yeow! I assume it means /bin/passwd and that > my next step is to compare the existing binary > with the one in the OS restore (are these assumptions > correct?) > > My machine is a RaQ2. The OS restore file which > I have obtained from the Cobalt site is named > 960-RAQ20101AU[1].iso and it's approx 220 megs. > > How do I extract from it the /bin/password binary > in order to compare it to the (possibly hacked?) > /bin/password binary currently on my system? > > I have no idea how a hacker might have gotten in > nor have I seen evidence of damage to the system > nor strange log entries, etc. Nonetheless, I'd rather > be safe than sorry! > > TIA for any pearls of wisdom you can share!
http://list.cobalt.com/pipermail/cobalt-security/2002-October/006533.html Eugene _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
