From owner-freebsd-questions@FreeBSD.ORG Wed Apr 14 13:44:20 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D92116A4CE for ; Wed, 14 Apr 2004 13:44:20 -0700 (PDT) Received: from yoda.anything-inc.com (adsl-068-153-193-053.sip.bct.bellsouth.net [68.153.193.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2244543D2F for ; Wed, 14 Apr 2004 13:44:19 -0700 (PDT) (envelope-from bobc@anything-inc.com) Received: from /spool/local by anything-inc.com with [XMail 1.17 (FreeBSD/Ix86) LMAIL Server] for from ; Wed, 14 Apr 2004 16:46:08 -0400 Date: Wed, 14 Apr 2004 16:46:07 -0400 From: Bob Collins To: Mike Message-ID: <20040414204607.GB36442@yoda.anything-inc.com> Mail-Followup-To: Mike , freebsd-questions@freebsd.org References: <407D910F.8050507@pacbell.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <407D910F.8050507@pacbell.net> User-Agent: Mutt/1.4i Comment: No comment X-Cuse: I have none X-Editor: vi X-Spam-Status: No, hits=-4.5 required=3.5 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-questions@freebsd.org Subject: Re: False positives from chkrootkit? or hacked test server? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 20:44:20 -0000 On Wed, Apr 14, 2004, Mike clacked the keyboard to produce: > Greetings: > > My test system: > FreeBSD 4.9-stable > Pentium III 800 > > I read an earlier post about using chkrootkit to check for root kits > (intrusions). I'm still learning about FreeBSD so I thought I would run > this too. > > Well... I installed and ran chkrootkit. And the output shows that: > > Checking `chfn'... INFECTED > Checking `chsh'... INFECTED > Checking `date'... INFECTED > Checking `ls'... INFECTED > Checking `ps'... INFECTED > > No rootkits were found. > > This FreeBSD system is a test server running Postfix, Samba, Apache, > PHP4, MySql, and akpop3. For a firewall I run IPFW. > > This computer sits behind a NAT router (linksys BEFSR41). The Linksys > router forwards a few ports (25, 110, 80) to a different server (a > Redhat-9 system). However, NO PORTS are forwarded to this FreeBSD system. > > My Redhat-9 server that runs Apache, Mysql, php4, and postfix. > > Question: Does chkrootkit ever generate false positives? > Michael, I cannot answer your question, but rather throw in my false positive question as well. I am running FBSD 5.0 release with named, Apache, MySQL, and Samba too. I receieved the exact same positives from my system. Everything else is fine. In Googling I found a question as such and the only reply was FAQ and read the archives, to wit, some joker has a name of chkrootkit and you get a zillion of his mails, yet nothing helpful otherwise. Looking forward to hearing something too. -- Bob "Play is the work of children. It's very serious stuff. And if it's properly structured in a developmental program, children can blossom." -Bob Keeshan aka `Captain Kangaroo'