Date: Wed, 9 Oct 2002 09:36:25 -0700 From: "Riley" <rileyjmc@pacbell.net> To: "Mike Hoskins" <mike@adept.org>, "Anthony Schneider" <anthony@x-anthony.com> Cc: "FreeBSD Security" <freebsd-security@FreeBSD.ORG>, "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG> Subject: RE: chkrootkit help Message-ID: <HEEELMCBPANKADCOBOFPAELAHAAA.rileyjmc@pacbell.net> In-Reply-To: <20021007141041.S84008-100000@fubar.adept.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Greetings, I'd like to thank all who replied, the advice and suggestions were valuable and appreciated, not to mention timely! It looks like it was a false positive. I ran netstat from cd, new chkrootkit compiled on a clean machine, and nmap remotely. It also made sense to mount / (-ro) from a clean machine and do a diff -r /bin /mnt/bin. There doesn't seem to be a security breach. I'll rebuild the machine anyway soon. There's a know issue with chkrootkit reporting false positives running programs that use bindshell's ports. Although these aren't running on this machine (an _up-to-date_ DNS/mail server), it was in an unstable state for known reasons. An nmap from a remote machine of the entire network directed at the firewall showed nothing abnormal. I'm going to rebuild it anyway, but wanted to followup. Also, if the above is misguided, please advise! Again, thanks, Riley > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Mike Hoskins > Sent: Monday, October 07, 2002 2:11 PM > To: Anthony Schneider > Cc: Riley; FreeBSD Security > Subject: Re: chkrootkit help > > > On Mon, 7 Oct 2002, Anthony Schneider wrote: > > > You could try using a trusted sockstat binary to verify > what's listening > > > on the local system. > > > % sockstat -4l > > quick aside: sockstat is a perl script, unless this changed with > > 4.6.2. > > Eww, I hadn't noticed. Good point, stick to a safe netsat from cdrom, > etc. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?HEEELMCBPANKADCOBOFPAELAHAAA.rileyjmc>