Date: 20 May 2003 22:55:54 -0400 From: Lowell Gilbert <freebsd-questions-local@be-well.no-ip.com> To: Guy Van Sanden <n.b@myrealbox.com> Cc: freebsd-questions@freebsd.org Subject: Re: HELP - Rootkit - add info Message-ID: <44wuglovnp.fsf@be-well.ilk.org> In-Reply-To: <1053459934.2959.224.camel@cronos.home.vsb> References: <1053459934.2959.224.camel@cronos.home.vsb>
next in thread | previous in thread | raw e-mail | index | archive | help
Guy Van Sanden <n.b@myrealbox.com> writes: > I forgot to mention some basic stuff (the idea that my box could be > hacked scares the living daylight out of me). > > I run FreeBSD 5.0-RELEASE (patches applied) > the md5sums of the files in question match those on knowngoods.org (of > course md5 could be hacked as well). > > Last does not report any strange connections, and I can't find anything > on my firewall that indicates this too. > > I ran aide (against an old database), and it doesn't report these files > as changed either (which also is inconclusive). > > I'm currently running clamscan on everything, but thats going to take a > while. > > Thanks for any help > > > -----Forwarded Message----- > > From: Guy Van Sanden <n.b@myrealbox.com> > To: freebsd-questions@freebsd.org > Subject: HELP - Rootkit > Date: 20 May 2003 21:18:38 +0200 > > I found some strange files in /stand namely -sh and [ > This got me somewhat suspicious, so I installed chkrootkit. There are supposed to be files by those names. Also, chrootkit is known to give false positives on FreeBSD 5.x. This doesn't guarantee that you're uninfected, but so far everything you've described is the same as a clean install.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44wuglovnp.fsf>