From owner-freebsd-questions@FreeBSD.ORG  Wed Apr 14 12:29:14 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id ACC4C16A4CE
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2004 12:29:14 -0700 (PDT)
Received: from smtp813.mail.sc5.yahoo.com (smtp813.mail.sc5.yahoo.com
	[66.163.170.83])	by mx1.FreeBSD.org (Postfix) with SMTP id 718A543D64
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2004 12:29:14 -0700 (PDT)
	(envelope-from addymin@pacbell.net)
Received: from unknown (HELO pacbell.net) (m?chinn@pacbell.net@67.120.100.59
	with plain)
	by smtp813.mail.sc5.yahoo.com with SMTP; 14 Apr 2004 19:28:25 -0000
Message-ID: <407D910F.8050507@pacbell.net>
Date: Wed, 14 Apr 2004 12:29:19 -0700
From: Mike <addymin@pacbell.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
	rv:1.6) Gecko/20040113
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-questions <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: False positives from chkrootkit? or hacked test server?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: addymin@pacbell.net
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2004 19:29:14 -0000

Greetings:

My test system:
FreeBSD 4.9-stable
Pentium III 800

I read an earlier post about using chkrootkit to check for root kits 
(intrusions).  I'm still learning about FreeBSD so I thought I would run 
this too.

Well... I installed and ran chkrootkit. And the output shows that:

Checking `chfn'... INFECTED
Checking `chsh'... INFECTED
Checking `date'... INFECTED
Checking `ls'... INFECTED
Checking `ps'... INFECTED

No rootkits were found.

This FreeBSD system is a test server running Postfix, Samba, Apache, 
PHP4, MySql, and akpop3. For a firewall I run IPFW.

This computer sits behind a NAT router (linksys BEFSR41).  The Linksys 
router forwards a few ports (25, 110, 80) to a different server (a 
Redhat-9 system). However, NO PORTS are forwarded to this FreeBSD system.

My Redhat-9 server that runs Apache, Mysql, php4, and postfix.

Question: Does chkrootkit ever generate false positives?

This system has just few test websites on it (test data) and nothing 
else.  But if this system has been compromised, then how?  Given that 
any public services (forwarded from the router) coming across ports 25, 
110, 80, 22 are sent to a different server altogether?

I would appreciate any hints or pointers.  Thank you.

Michael Chinn