On Fri, 22 Feb 2008 03:20:10 +0100 Uwe Dippel <[EMAIL PROTECTED]> wrote: >This is what I get at running rkhunter --check: >[10:06:19] Checking system startup files for malware [ Warning ] >[10:06:19] Warning: Found string 'sshdd' in file '/etc/pwd.db'. >Possible rootkit: Possible GasKit rootkit
AFAIK GNU/Linux-only (haven't got this kit in my repo) and password entry probably not much use without dev/dev/gaskit/.*. Wrt entry itself, if it is in pwd.db it should be in master.* as well, right? If you stat master and pwd.db, do timestamps match? Any useradd logging and backups to support this? (If any doubts, please do take the box offline before auditing like John suggested). -- Click for free info on online degrees and make up to $150K/ year. http://tagline.hushmail.com/fc/Ioyw6h4eS5zWWjqKbvYK49F2GIz3gSL6aRAniBTdeEm6ar7ZXAYElq/ Regards, unSpawn ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
