From owner-freebsd-questions@FreeBSD.ORG  Wed Apr 14 14:42:38 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 91B2316A4DC
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2004 14:42:38 -0700 (PDT)
Received: from fwall.in.markiza.sk (fwall.in.markiza.sk [62.168.76.18])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 29EE043D48
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2004 14:42:38 -0700 (PDT)
	(envelope-from corwin@pleiades.aeternal.net)
Received: from pleiades.aeternal.net (pleiades.in.markiza.sk [192.168.13.7])
	by fwall.in.markiza.sk (Postfix) with ESMTP id D643623050
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2004 23:42:38 +0200 (CEST)
Received: from pleiades.aeternal.net (localhost [127.0.0.1])
	by pleiades.aeternal.net (Postfix) with ESMTP id BA6091703C
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2004 23:43:53 +0200 (CEST)
Received: (from corwin@localhost)
	by pleiades.aeternal.net (8.12.10/8.12.10/Submit) id i3ELhr6f001475
	for freebsd-questions@freebsd.org;
	Wed, 14 Apr 2004 23:43:53 +0200 (CEST)	(envelope-from corwin)
Date: Wed, 14 Apr 2004 23:43:53 +0200
From: Martin Hudec <corwin@aeternal.net>
To: freebsd-questions@freebsd.org
Message-ID: <20040414214353.GC96246@pleiades.aeternal.net>
References: <407D910F.8050507@pacbell.net>
	<38D85174-8E4F-11D8-986A-000502716489@epix.net> <407DA906.4070209@pacbell.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <407DA906.4070209@pacbell.net>
X-Copyright: (C) 2004 Martin Hudec
X-Operating-System: FreeBSD pleiades.aeternal.net 5.2.1-RELEASE-p4 i386
X-PGP-Key: http://www.aeternal.net/corwin_aeternal.asc
User-Agent: Mutt/1.5.6i
Subject: Re: False positives from chkrootkit? or hacked test server?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Martin Hudec <corwin@aeternal.net>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2004 21:42:39 -0000

Hello all,

On Wed, Apr 14, 2004 at 02:11:34PM -0700 or thereabouts, Mike wrote:
> Jeff Maxwell wrote:
> 
> >upgrade your ports. The chkrootkit that ships with 4.9 gives false 
> >positives
> >


	I'm using chrootkit from fresh ports update (v4.3). Results are as:

System 1 on 4.9-STABLE:
nothing found

System 2 on 4.10-BETA:
chfn, chsh, date infected

System 3 on 5.2.1-RELEASE-p4:
date infected, stops (freezes) at checking 'lkm'

strace shows:
wait4(-1, Process 610 attached - interrupt to quit

	Systems are behind two firewalls, with only ssh allowed (5.x) or
ftp, ssh, smtp, www, pop3 and https allowed (4.x).


-- 
Martin Hudec		| corwin at aeternal.net
			| corwin at web.markiza.sk
http://www.aeternal.net	| cell +421 907 303 393