From owner-freebsd-questions@FreeBSD.ORG Thu Aug 28 01:19:05 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5CC716A4BF for ; Thu, 28 Aug 2003 01:19:05 -0700 (PDT) Received: from adicia.telenet-ops.be (adicia.telenet-ops.be [195.130.132.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id B2D0E43FBF for ; Thu, 28 Aug 2003 01:19:04 -0700 (PDT) (envelope-from n.b@myrealbox.com) Received: from localhost (localhost.localdomain [127.0.0.1]) by adicia.telenet-ops.be (Postfix) with SMTP id 17E2F38084; Thu, 28 Aug 2003 10:19:04 +0200 (MEST) Received: from cronos.home.vsb (d5153CAA6.kabel.telenet.be [81.83.202.166]) by adicia.telenet-ops.be (Postfix) with ESMTP id 789D0380F3; Thu, 28 Aug 2003 10:19:03 +0200 (MEST) From: Guy Van Sanden To: Sean Page , freebsd-questions@freebsd.org In-Reply-To: References: Content-Type: text/plain Message-Id: <1062058743.9153.24.camel@cronos.home.vsb> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.4-1tex Date: Thu, 28 Aug 2003 10:19:03 +0200 Content-Transfer-Encoding: 7bit Subject: Re: Chkrootkit anomaly X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2003 08:19:06 -0000 Hi Sean I know chkrootkit is broken on 5.1, don't know about 4.8 though. The messages you are getting are indeed nearly identical to my problems a while back (6-8 months). Kind regards Guy On Wed, 2003-08-27 at 15:56, Sean Page wrote: > Since there have already been a couple of questions on this I thought I'd > see if anyone could shed some light on something I've noticed since I > started running chkrootkit. It runs every 15 minutes (overkill? Nah.) in > quiet mode to cut down on noise in the logs, and sporadically I get these > notifications: > > You have 1 process hidden for readdir command > You have 1 process hidden for ps command > Warning: Possible LKM Trojan installed > > These messages will appear only on the odd occasion, seemingly completely at > random. > False positives or very crafty rootkit? > Any advice would be greatly appreciated! > > Sean. > > Pertinent details: > FreeBSD 4.8-RELEASE-p3 > > kldstat > Id Refs Address Size Name > 1 2 0xc0100000 2addcc kernel > 2 1 0xc166f000 4000 logo_saver.ko > > Installed Packages: > BitchX-1.0c19_2, XFree86-libraries-4.3.0_1, > amavisd-new-20021227.p2,apache+mod_ssl-1.3.27+2.8.14, arc-5.21e.8_1, > aspell-0.50.3_1,apache+autoconf-2.53_1,autoconf213-2.13.000227_5, > automake-1.5,1, automake14-1.4.5_9, bash-2.05b,cclient-2002,1, > chkrootkit-0.41, compat3x-i386-4.4.20020925, cracklib-2.7_1,curl-7.9.8, > cvsup-16.1g, db3-3.3.11,1, docbook-1.2, docbook-241, > docbook-3.0,docbook-3.1, docbook-4.0, docbook-4.1, expat-1.95.6_1, > ezm3-1.0,fontconfig-2.1.94_1, freetype2-2.1.4_1, gd-2.0.11, > gettext-0.11.5_1, gmake-3.80, help2man-1.29, horde-2.2, httplog-2.1, > imake-4.3.0, imap-uw-2002_1,1, imp-3.1_3, iso8879-1986, ispell-3.2.06_3, > jade-1.2.1_1, jpeg-6b_1, kronolith-1.0_3, lha-1.14i, libiconv-1.8_2, > libmcal-0.7, libmcrypt-2.5.6_1, libtool-1.3.4_4, libwmf-0.2.7, > libxml2-2.5.6, linuxdoc-1.1, logcheck-1.1.1, m4-1.4_1, mhash-0.8.17, > mkcatalog-1.1, mm-1.2.1, mod_php4-4.3.1, mysql-client-3.23.56, > mysql-server-3.23.56, nag-1.1, nmap-3.00, openldap-2.0.25_3, > p5-Archive-Tar-0.22, p5-Archive-Zip-1.05, p5-Authen-SASL-2.02, > p5-Bit-Vector-6.3, p5-Compress-Zlib-1.16, p5-Convert-TNEF-0.17, > p5-Convert-UUlib-0.213, p5-DBI-1.34_1, p5-Data-ShowTable-3.3, > p5-Date-Calc-5.3, p5-Digest-HMAC-1.01, p5-Digest-MD5-2.22, > p5-Digest-Nilsimsa-0.06, p5-Digest-SHA1-2.01, p5-File-Spec-0.82, > p5-File-Tail-0.98_1, p5-HTML-Parser-3.26, p5-HTML-Tagset-3.03, p5-IO-1.20, > p5-IO-stringy-2.108, p5-MIME-Base64-2.16, p5-MIME-Tools-5.411a_2, > p5-Mail-SpamAssassin-2.43, p5-Mail-Tools-1.53, p5-Mysql-modules-1.2219, > p5-Net-1.12,1, p5-Net-DNS-0.33_1, p5-Net-Daemon-0.36, p5-Net-Server-0.83, > p5-PlRPC-0.2016, p5-PodParser-1.18, p5-Storable-2.06, p5-Test-Harness-2.26, > p5-Test-Simple-0.47_1, p5-Time-HiRes-1.38,1, p5-TimeDate-1.1301, > p5-URI-1.23, p5-Unix-Syslog-0.100, pear-Crypt_CBC-0.3, pear-Date-1.3, > pear-Log-1.5, pear-install-4.3.0, perl-5.8.0_4, pine-4.56, pkgconfig-0.15.0, > pkgdb.db, png-1.2.5_2, poppassd-4.0_2, portupgrade-20030427, > procmail-3.22_2, python-2.2.2_2, qpopper-4.0.5_1, razor-agents-2.21_1, > ruby-1.6.8.2003.04.19, ruby-bdb1-0.2.1, ruby-rdoc-0.0.0.b2, > ruby-shim-ruby18-1.8.0.p2.2003.04.19_1, screen-3.9.15_1, > sed_inplace-2002.10.19, sgmlformat-1.7_2, swatch-3.0.4, turba-1.1_3, > unarj-2.43_1, unrar-.11,1, unzip-5.50, wget-1.8.2_3, wide-dhcp-1.4.0.6, > wv-0.7.4, xlhtml-0.5.1, zoo-2.10.1 > > > > Sean Page > Network Analyst, Internet Services > Information Technology Services > Edmonton Public Schools > Phone: (780) 429-8206 > http://its.epsb.ca > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"