From owner-freebsd-security@FreeBSD.ORG  Sun Aug 24 02:19:26 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 815D416A4BF
	for <freebsd-security@freebsd.org>;
	Sun, 24 Aug 2003 02:19:26 -0700 (PDT)
Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AD4B043FCB
	for <freebsd-security@freebsd.org>;
	Sun, 24 Aug 2003 02:19:25 -0700 (PDT)
	(envelope-from patpro@patpro.net)
Received: from [82.64.132.76] (lns-th2-9-82-64-132-76.adsl.proxad.net
	[82.64.132.76])
	by postfix3-2.free.fr (Postfix) with ESMTP id 7E72CC8EE
	for <freebsd-security@freebsd.org>;
	Sun, 24 Aug 2003 11:19:23 +0200 (CEST)
User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2106
Date: Sun, 24 Aug 2003 11:19:24 +0200
From: patpro <patpro@patpro.net>
To: <freebsd-security@freebsd.org>
Message-ID: <BB6E4FBB.3026%patpro@patpro.net>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Subject: weird problem with chkrootkit and checksums
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Aug 2003 09:19:26 -0000

Hello,

last night, my chkrootkit crontab returned an alarm message :

> Checking `lkm'... You have     1 process hidden for readdir command
> You have     2 process hidden for ps command
> Warning: Possible LKM Trojan installed

Some research on google make me think it's probably a false positive. I
tried few things : 

re-launching chkrootkit : "Checking `lkm'... nothing detected"
re-compiling and launching fresh binary : "Checking `lkm'... nothing
detected"
and comparing some critical binaries with the one compiled at the beginning
of august during a make world :

$ md5 /usr/obj/usr/src/bin/ls/ls
MD5 (/usr/obj/usr/src/bin/ls/ls) = cd2dcad3cc08b5f5ad05456f016e8099
$ md5 /bin/ls
MD5 (/bin/ls) = 1808e84cfcbaf71ce1073cc418ff262a

$ md5 /usr/obj/usr/src/usr.bin/netstat/netstat
MD5 (/usr/obj/usr/src/usr.bin/netstat/netstat) =
7fbd1e72a5795b038b16ece37df13ee0
$ md5 /usr/bin/netstat
MD5 (/usr/bin/netstat) = 77bd719216a4bca383333a420b2d9501

I feel like there is something wrong here...
I picked up random binaries and compared their checksum with their
/usr/obj/usr/src/ counterpart and every time it does not match.
I tried the same checking on another box running the same version of FreeBSD
and found out the same different checksums :

$ md5 /usr/obj/usr/src/usr.bin/netstat/netstat
MD5 (/usr/obj/usr/src/usr.bin/netstat/netstat) =
7fbd1e72a5795b038b16ece37df13ee0
$ md5 /usr/bin/netstat
MD5 (/usr/bin/netstat) = 77bd719216a4bca383333a420b2d9501

So I guess it's a normal behavior. Can someone please explain to me why
original binaries (/usr/obj/usr/src/) don't have the same checksum than
installed binaries ?

thanks,

patpro