Date: Thu, 28 Aug 2003 10:19:03 +0200 From: Guy Van Sanden <n.b@myrealbox.com> To: Sean Page <Sean.Page@epsb.ca>, freebsd-questions@freebsd.org Subject: Re: Chkrootkit anomaly Message-ID: <1062058743.9153.24.camel@cronos.home.vsb> In-Reply-To: <DF09779544EFD511A17D0002A587F9D305AA6699@EXCHANGE07> References: <DF09779544EFD511A17D0002A587F9D305AA6699@EXCHANGE07>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Sean I know chkrootkit is broken on 5.1, don't know about 4.8 though. The messages you are getting are indeed nearly identical to my problems a while back (6-8 months). Kind regards Guy On Wed, 2003-08-27 at 15:56, Sean Page wrote: > Since there have already been a couple of questions on this I thought I'd > see if anyone could shed some light on something I've noticed since I > started running chkrootkit. It runs every 15 minutes (overkill? Nah.) in > quiet mode to cut down on noise in the logs, and sporadically I get these > notifications: > > You have 1 process hidden for readdir command > You have 1 process hidden for ps command > Warning: Possible LKM Trojan installed > > These messages will appear only on the odd occasion, seemingly completely at > random. > False positives or very crafty rootkit? > Any advice would be greatly appreciated! > > Sean. > > Pertinent details: > FreeBSD 4.8-RELEASE-p3 > > kldstat > Id Refs Address Size Name > 1 2 0xc0100000 2addcc kernel > 2 1 0xc166f000 4000 logo_saver.ko > > Installed Packages: > BitchX-1.0c19_2, XFree86-libraries-4.3.0_1, > amavisd-new-20021227.p2,apache+mod_ssl-1.3.27+2.8.14, arc-5.21e.8_1, > aspell-0.50.3_1,apache+autoconf-2.53_1,autoconf213-2.13.000227_5, > automake-1.5,1, automake14-1.4.5_9, bash-2.05b,cclient-2002,1, > chkrootkit-0.41, compat3x-i386-4.4.20020925, cracklib-2.7_1,curl-7.9.8, > cvsup-16.1g, db3-3.3.11,1, docbook-1.2, docbook-241, > docbook-3.0,docbook-3.1, docbook-4.0, docbook-4.1, expat-1.95.6_1, > ezm3-1.0,fontconfig-2.1.94_1, freetype2-2.1.4_1, gd-2.0.11, > gettext-0.11.5_1, gmake-3.80, help2man-1.29, horde-2.2, httplog-2.1, > imake-4.3.0, imap-uw-2002_1,1, imp-3.1_3, iso8879-1986, ispell-3.2.06_3, > jade-1.2.1_1, jpeg-6b_1, kronolith-1.0_3, lha-1.14i, libiconv-1.8_2, > libmcal-0.7, libmcrypt-2.5.6_1, libtool-1.3.4_4, libwmf-0.2.7, > libxml2-2.5.6, linuxdoc-1.1, logcheck-1.1.1, m4-1.4_1, mhash-0.8.17, > mkcatalog-1.1, mm-1.2.1, mod_php4-4.3.1, mysql-client-3.23.56, > mysql-server-3.23.56, nag-1.1, nmap-3.00, openldap-2.0.25_3, > p5-Archive-Tar-0.22, p5-Archive-Zip-1.05, p5-Authen-SASL-2.02, > p5-Bit-Vector-6.3, p5-Compress-Zlib-1.16, p5-Convert-TNEF-0.17, > p5-Convert-UUlib-0.213, p5-DBI-1.34_1, p5-Data-ShowTable-3.3, > p5-Date-Calc-5.3, p5-Digest-HMAC-1.01, p5-Digest-MD5-2.22, > p5-Digest-Nilsimsa-0.06, p5-Digest-SHA1-2.01, p5-File-Spec-0.82, > p5-File-Tail-0.98_1, p5-HTML-Parser-3.26, p5-HTML-Tagset-3.03, p5-IO-1.20, > p5-IO-stringy-2.108, p5-MIME-Base64-2.16, p5-MIME-Tools-5.411a_2, > p5-Mail-SpamAssassin-2.43, p5-Mail-Tools-1.53, p5-Mysql-modules-1.2219, > p5-Net-1.12,1, p5-Net-DNS-0.33_1, p5-Net-Daemon-0.36, p5-Net-Server-0.83, > p5-PlRPC-0.2016, p5-PodParser-1.18, p5-Storable-2.06, p5-Test-Harness-2.26, > p5-Test-Simple-0.47_1, p5-Time-HiRes-1.38,1, p5-TimeDate-1.1301, > p5-URI-1.23, p5-Unix-Syslog-0.100, pear-Crypt_CBC-0.3, pear-Date-1.3, > pear-Log-1.5, pear-install-4.3.0, perl-5.8.0_4, pine-4.56, pkgconfig-0.15.0, > pkgdb.db, png-1.2.5_2, poppassd-4.0_2, portupgrade-20030427, > procmail-3.22_2, python-2.2.2_2, qpopper-4.0.5_1, razor-agents-2.21_1, > ruby-1.6.8.2003.04.19, ruby-bdb1-0.2.1, ruby-rdoc-0.0.0.b2, > ruby-shim-ruby18-1.8.0.p2.2003.04.19_1, screen-3.9.15_1, > sed_inplace-2002.10.19, sgmlformat-1.7_2, swatch-3.0.4, turba-1.1_3, > unarj-2.43_1, unrar-.11,1, unzip-5.50, wget-1.8.2_3, wide-dhcp-1.4.0.6, > wv-0.7.4, xlhtml-0.5.1, zoo-2.10.1 > > > > Sean Page > Network Analyst, Internet Services > Information Technology Services > Edmonton Public Schools > Phone: (780) 429-8206 > http://its.epsb.ca <http://its.epsb.ca> > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1062058743.9153.24.camel>