Subject: Re: system possibly compromised
To: Roger Fischer <rgfisch@excite.com>
From: Scott Zahn <scott@xeroxparc.net>
List: netbsd-help
Date: 02/24/2004 21:32:25
I think I get a /USR/BIN/CRON when cron is normally executing something
like it's supposed to do.

On Tue, 24 Feb 2004, Roger Fischer wrote:

>
> Well, I installed "lsof" and "chkrootkit".
> There are not docs or manpages for "chkrootkit".
>
> Anyway, it looks like all the open ports are OK.
> That "/USR/BIN/CRON" is still weird.
> I'll have to keep an eye on the system, and I may be
> doing a reinstall soon.
>
> Thanks,
> Roger.
>
> P.S.
>  I'll still appreciate any additional ideas to check out
> if anybody sends them my way.
>
>
>
>
>
>  --- On Tue 02/24, Herb Peyerl < hpeyerl@beer.org > wrote:
> From: Herb Peyerl [mailto: hpeyerl@beer.org]
> To: rgfisch@excite.com
>      Cc: michal@pasternak.w.lub.pl, netbsd-help@netbsd.org
> Date: Tue, 24 Feb 2004 10:20:33 -0700
> Subject: Re: system possibly compromised
>
> Tue, 24 Feb 2004 12:15:16 -0500.<br>             <20040224171516.DDC5E3CF7@xprdmailfe10.nwk.excite.com>
>  >
>  > $ find /dev -type d
>  > /dev
>  > /dev/fd
>  > /dev/altq
>
> Yeah, that's all good, unless they wrapped "find".  I don't know
> if there are any NetBSD rootkits and if there are, I don't know what
> they do. I only know what the various Solaris ones do.
>
>
>
> _______________________________________________
> Join Excite! - http://www.excite.com
> The most personalized portal on the Web!
>

--
1 + 1 = 10