Subject: Re: system possibly compromised
To: Roger Fischer <rgfisch@excite.com>
From: Scott Zahn <scott@xeroxparc.net>
List: netbsd-help
Date: 02/24/2004 21:35:29
Oops, I should have read the whole thread before replying anything...
I would have seen that people already answered.  I'll shut up now. :)

On Tue, 24 Feb 2004, Scott Zahn wrote:

> I think I get a /USR/BIN/CRON when cron is normally executing something
> like it's supposed to do.
>
> On Tue, 24 Feb 2004, Roger Fischer wrote:
>
> >
> > Well, I installed "lsof" and "chkrootkit".
> > There are not docs or manpages for "chkrootkit".
> >
> > Anyway, it looks like all the open ports are OK.
> > That "/USR/BIN/CRON" is still weird.
> > I'll have to keep an eye on the system, and I may be
> > doing a reinstall soon.
> >
> > Thanks,
> > Roger.
> >
> > P.S.
> >  I'll still appreciate any additional ideas to check out
> > if anybody sends them my way.
> >
> >
> >
> >
> >
> >  --- On Tue 02/24, Herb Peyerl < hpeyerl@beer.org > wrote:
> > From: Herb Peyerl [mailto: hpeyerl@beer.org]
> > To: rgfisch@excite.com
> >      Cc: michal@pasternak.w.lub.pl, netbsd-help@netbsd.org
> > Date: Tue, 24 Feb 2004 10:20:33 -0700
> > Subject: Re: system possibly compromised
> >
> > Tue, 24 Feb 2004 12:15:16 -0500.<br>             <20040224171516.DDC5E3CF7@xprdmailfe10.nwk.excite.com>
> >  >
> >  > $ find /dev -type d
> >  > /dev
> >  > /dev/fd
> >  > /dev/altq
> >
> > Yeah, that's all good, unless they wrapped "find".  I don't know
> > if there are any NetBSD rootkits and if there are, I don't know what
> > they do. I only know what the various Solaris ones do.
> >
> >
> >
> > _______________________________________________
> > Join Excite! - http://www.excite.com
> > The most personalized portal on the Web!
> >
>
> --
> 1 + 1 = 10
>

--
1 + 1 = 10