From owner-freebsd-security@FreeBSD.ORG Fri May 21 13:03:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3404216A4CE for ; Fri, 21 May 2004 13:03:07 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7221543D48 for ; Fri, 21 May 2004 13:03:06 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1])i4LK2sXE090299 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 21 May 2004 21:02:54 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id i4LK2s1U090298; Fri, 21 May 2004 21:02:54 +0100 (BST) (envelope-from matthew) Date: Fri, 21 May 2004 21:02:54 +0100 From: Matthew Seaman To: RazorOnFreeBSD Message-ID: <20040521200254.GC89897@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: RazorOnFreeBSD , freebsd-security@freebsd.org References: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jy6Sn24JjFx/iggw" Content-Disposition: inline In-Reply-To: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> User-Agent: Mutt/1.5.6i X-Virus-Scanned: clamd / ClamAV version devel-20040504, clamav-milter version 0.70u X-Virus-Status: Clean X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-security@freebsd.org Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2004 20:03:07 -0000 --jy6Sn24JjFx/iggw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 21, 2004 at 03:52:45PM +0200, RazorOnFreeBSD wrote: > I have a 4.9-STABLE FreeBSD box apparently hacked! > Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.=20 > Those are: > chfn ... INFECTED > chsh ... INFECTED > date ... INFECTED > ls ... INFECTED > ps ... INFECTED Sheesh. Not this *again*. This is a false alarm: chkrootkit is exceedingly sensitive to something about the way such programs work under FreeBSD and has to be continually futzed so that it knows not to complain on each successive version of FreeBSD. Comes up in this or other FreeBSD lists just about every week. Relax. You're not compromised. You just need better tools. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --jy6Sn24JjFx/iggw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFArmBuiD657aJF7eIRAllGAKCat/LLf51CqfM/KSrItVaIsPyL8ACeKk80 GnyGAmSPI8T38vi1QdUeMhQ= =CZVJ -----END PGP SIGNATURE----- --jy6Sn24JjFx/iggw--