From owner-freebsd-questions@FreeBSD.ORG Wed Apr 14 14:10:40 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69BF716A4CE for ; Wed, 14 Apr 2004 14:10:40 -0700 (PDT) Received: from smtp804.mail.sc5.yahoo.com (smtp804.mail.sc5.yahoo.com [66.163.168.183]) by mx1.FreeBSD.org (Postfix) with SMTP id 4DCCA43D2D for ; Wed, 14 Apr 2004 14:10:40 -0700 (PDT) (envelope-from addymin@pacbell.net) Received: from unknown (HELO pacbell.net) (m?chinn@pacbell.net@67.120.100.59 with plain) by smtp804.mail.sc5.yahoo.com with SMTP; 14 Apr 2004 21:10:40 -0000 Message-ID: <407DA906.4070209@pacbell.net> Date: Wed, 14 Apr 2004 14:11:34 -0700 From: Mike User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jeff Maxwell , freebsd-questions References: <407D910F.8050507@pacbell.net> <38D85174-8E4F-11D8-986A-000502716489@epix.net> In-Reply-To: <38D85174-8E4F-11D8-986A-000502716489@epix.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: False positives from chkrootkit? or hacked test server? [SOLVED] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: addymin@pacbell.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 21:10:40 -0000 Jeff Maxwell wrote: > upgrade your ports. The chkrootkit that ships with 4.9 gives false > positives > Jeff: Thanks for the tip. I deinstalled the chkrootkit (v-4.1) that came with 4.9. I then downloaded and installed the most recent version (v-4.3) from the chkrootkit.org site. I re-ran chkrootkit and found NO infected files and NO rootkits. Michael Chinn > > > On Apr 14, 2004, at 3:29 PM, Mike wrote: > >> Greetings: >> >> My test system: >> FreeBSD 4.9-stable >> Pentium III 800 >> >> I read an earlier post about using chkrootkit to check for root kits >> (intrusions). I'm still learning about FreeBSD so I thought I would >> run this too. >> >> Well... I installed and ran chkrootkit. And the output shows that: >> >> Checking `chfn'... INFECTED >> Checking `chsh'... INFECTED >> Checking `date'... INFECTED >> Checking `ls'... INFECTED >> Checking `ps'... INFECTED >> >> No rootkits were found. >> >> This FreeBSD system is a test server running Postfix, Samba, Apache, >> PHP4, MySql, and akpop3. For a firewall I run IPFW. >> >> This computer sits behind a NAT router (linksys BEFSR41). The Linksys >> router forwards a few ports (25, 110, 80) to a different server (a >> Redhat-9 system). However, NO PORTS are forwarded to this FreeBSD system. >> >> My Redhat-9 server that runs Apache, Mysql, php4, and postfix. >> >> Question: Does chkrootkit ever generate false positives? >> >> This system has just few test websites on it (test data) and nothing >> else. But if this system has been compromised, then how? Given that >> any public services (forwarded from the router) coming across ports >> 25, 110, 80, 22 are sent to a different server altogether? >> >> I would appreciate any hints or pointers. Thank you. >> >> Michael Chinn >> >> >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" >> >