On Sunday 01 February 2004 09:49 am, David Herman wrote:
On Saturday 31 January 2004 11:14 pm, GarUlbricht7@netscape.net wrote:
I am surprized that you have not posted this on suse-security mailing list: http://www.suse.com/us/private/support/online_help/mailinglists/index .html
Or maybe you have and I just missed it.
----------snip-------- Actually I wasn't on that list until just now, I'll post there shortly unless someone beats me to it.
I was really hoping that checkroot was giving a false positive. I did fill out the webform at feedback.suse but who knows how long that will take.
see ya -- dh Don't shop at GoogleGear.com!
A couple notes: Have you checked your system logs? Did you have wither an tripwire or AIDE database prior? Check for deleted(possibly trojaned) executables via: # file /proc/[0-9]*/exe|grep '(deleted)' Also extract the binary version from the installation CD of ps,ls,who ----- commonly trojaned executables onto a floppy from another system. Write protect it! Then perform a compare of the valid(floppy) version against the possibly trojaned executable via: # cmp /media/floppy/valid_exec /bin/trojan_exec This will do a byte-by-byte comparison of both executables. You can search for the debugging symbols from the "trojaned" executable via: # nm trojan_exec | more Also check for any ascii text in the executable via: # strings -a trojan_exec | more HTH. thomas