From owner-freebsd-stable@FreeBSD.ORG  Wed May  5 03:27:39 2004
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E144E16A4CE
	for <stable@freebsd.org>; Wed,  5 May 2004 03:27:39 -0700 (PDT)
Received: from smtp01.syd.iprimus.net.au (smtp01.syd.iprimus.net.au
	[210.50.30.52])	by mx1.FreeBSD.org (Postfix) with ESMTP id 6C3A243D31
	for <stable@freebsd.org>; Wed,  5 May 2004 03:27:38 -0700 (PDT)
	(envelope-from tim@robbins.dropbear.id.au)
Received: from robbins.dropbear.id.au (210.50.200.129) by
	smtp01.syd.iprimus.net.au (7.0.024)
	id 409871F200015E56; Wed, 5 May 2004 20:27:35 +1000
Received: by robbins.dropbear.id.au (Postfix, from userid 1000)
	id CB4C741E5; Wed,  5 May 2004 20:27:06 +1000 (EST)
Date: Wed, 5 May 2004 20:27:06 +1000
From: Tim Robbins <tjr@freebsd.org>
To: jeff <jeff@olymail.net>
Message-ID: <20040505102706.GA6080@cat.robbins.dropbear.id.au>
References: <200405050951.i459psAN032283@gir.olymail.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200405050951.i459psAN032283@gir.olymail.net>
User-Agent: Mutt/1.4.1i
cc: stable@freebsd.org
Subject: Re: chkrootkit
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 May 2004 10:27:40 -0000

On Wed, May 05, 2004 at 02:54:44AM -0700, jeff wrote:

> The latest version of chkrootkit marks 3 files as being "INFECTED"; "chfn
> chsh date" 
> The system is FreeBSD 4.10-BETA #2: Sun Apr 18 00:31:19 PDT 2004
> 
> These files are not detected correctly by the chkrootkit program or all my
> 4.10 boxes have been "owned" or the source has been compromised. 

This is a known bug in chkrootkit. For one reason or another, it seems to
break every time a new version of FreeBSD is released. The problem was
discussed recently on the security list[1] and the resolution was that it
will be fixed in the next release of chkrootkit.

[1] http://marc.theaimsgroup.com/?l=freebsd-security&m=108359366700515&w=2


Tim