Security Basics: HP UX 10.20

[Alvin Wong <alvin.wong () b2b com my>]

Hi,

Thanks for your findings, John. I believe that it is the result of the
way it uses:

On HP-UX 10.20: 

# strings /sbin/init | egrep HOME 
HOME= 
# echo $? 
0 

and if return status is 0, then status=INFECTED 


On linux: 

bash-2.05$ strings /sbin/init | egrep HOME 
bash-2.05$ echo $? 
1 


> From the chkrootkit script: 
# Return Codes 
INFECTED=0 
NOT_INFECTED=1 
NOT_TESTED=2 
NOT_FOUND=3

Source: Tim Adamson

Regards,
Alvin

On Fri, 2003-09-05 at 14:17, John C. Dack wrote:
> Hi,
>
> I have ran the chkrootkit program on a HPUX box that has had a new install of 10:20 and has never been connected to 
> the internet and have had the same results, I'm not sure but this may be a misinterpretation by the chkrootkit 
> program.
>
> I'm sure someone will tell me if I'm wrong :-)
>
> John
>
> -----Original Message-----
> From: Alvin Wong [mailto:alvin.wong () b2b com my]
> Sent: 04 September 2003 09:41
> To: security-basics () securityfocus com
> Subject: HP UX 10.20
>
>
> Hi, 
>
> I would like to request for help on HP UX 10.20. I have recently ran
> chkrootkit on it and found that there was an alert for Suckit rootkit
> where /sbin/init has been infected. What is the recommended plan of
> action here? Do i replace it with a new init? and where do i get the new
> init from?
> Anyone has recommendations or links to information where i can clean the
> system of the rootkit?
> Thanks in advance.


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------