Date: Thu, 17 Jun 2004 12:48:54 +0900 (JST) From: KOJIMA Hajime <kjm@rins.ryukoku.ac.jp> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/68029: chkrootkit 0.43 (ports/security/chkrootkit) false positive on FreeBSD 4.10-RELEASE Message-ID: <200406170348.i5H3msTI038809@yukikaze.st.ryukoku.ac.jp> Resent-Message-ID: <200406170350.i5H3oPM2039746@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 68029
>Category: ports
>Synopsis: chkrootkit 0.43 (ports/security/chkrootkit) false positive on FreeBSD 4.10-RELEASE
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jun 17 03:50:25 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: KOJIMA Hajime
>Release: FreeBSD 4.10-RELEASE i386
>Organization:
Ryukoku University
>Environment:
System: FreeBSD yukikaze.st.ryukoku.ac.jp 4.10-RELEASE FreeBSD 4.10-RELEASE #0: Wed Jun 9 19:31:58 JST 2004 kjm@yukikaze2.st.ryukoku.ac.jp:/usr/obj/usr/src/sys/YUKIKAZE i386
>Description:
chkrootkit 0.43 (ports/security/chkrootkit) on FreeBSD 4.10-RELEASE
reports as:
Checking `chfn'... INFECTED
Checking `chsh'... INFECTED
Checking `date'... INFECTED
but, chfn / chsh / date command is not infected.
its false positive.
>How-To-Repeat:
run /usr/local/sbin/chkrootkit script.
>Fix:
--- chkrootkit Thu Jun 17 12:14:25 2004
+++ chkrootkit Thu Jun 17 12:17:33 2004
@@ -2401,6 +2401,12 @@
V=44
else
V=`echo $VERSION | cut -d- -f 1 | ${sed} 's/\.//g'`
+
+ # fix for FreeBSD 4.10-RELEASE and later
+ V2=`echo $VERSION | cut -d- -f 1 | ${sed} 's/\..*//g'`
+ if [ "${SYSTEM}" = "FreeBSD" -a $V -gt 400 -a $V2 = 4 ]; then
+ V=49
+ fi
fi
# ps command
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200406170348.i5H3msTI038809>