Date: Wed, 14 Apr 2004 16:46:07 -0400 From: Bob Collins <bobc@anything-inc.com> To: Mike <addymin@pacbell.net> Cc: freebsd-questions@freebsd.org Subject: Re: False positives from chkrootkit? or hacked test server? Message-ID: <20040414204607.GB36442@yoda.anything-inc.com> In-Reply-To: <407D910F.8050507@pacbell.net> References: <407D910F.8050507@pacbell.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 14, 2004, Mike clacked the keyboard to produce: > Greetings: > > My test system: > FreeBSD 4.9-stable > Pentium III 800 > > I read an earlier post about using chkrootkit to check for root kits > (intrusions). I'm still learning about FreeBSD so I thought I would run > this too. > > Well... I installed and ran chkrootkit. And the output shows that: > > Checking `chfn'... INFECTED > Checking `chsh'... INFECTED > Checking `date'... INFECTED > Checking `ls'... INFECTED > Checking `ps'... INFECTED > > No rootkits were found. > > This FreeBSD system is a test server running Postfix, Samba, Apache, > PHP4, MySql, and akpop3. For a firewall I run IPFW. > > This computer sits behind a NAT router (linksys BEFSR41). The Linksys > router forwards a few ports (25, 110, 80) to a different server (a > Redhat-9 system). However, NO PORTS are forwarded to this FreeBSD system. > > My Redhat-9 server that runs Apache, Mysql, php4, and postfix. > > Question: Does chkrootkit ever generate false positives? > Michael, I cannot answer your question, but rather throw in my false positive question as well. I am running FBSD 5.0 release with named, Apache, MySQL, and Samba too. I receieved the exact same positives from my system. Everything else is fine. In Googling I found a question as such and the only reply was FAQ and read the archives, to wit, some joker has a name of chkrootkit and you get a zillion of his mails, yet nothing helpful otherwise. Looking forward to hearing something too. -- Bob "Play is the work of children. It's very serious stuff. And if it's properly structured in a developmental program, children can blossom." -Bob Keeshan aka `Captain Kangaroo'
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040414204607.GB36442>