From owner-freebsd-security@FreeBSD.ORG  Fri May 21 14:41:10 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id E6AA816A4CE; Fri, 21 May 2004 14:41:10 -0700 (PDT)
Received: from smtp.infracaninophile.co.uk
	(happy-idiot-talk.infracaninophile.co.uk [81.2.69.218])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 63BE143D45; Fri, 21 May 2004 14:41:09 -0700 (PDT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk
	(localhost.infracaninophile.co.uk [IPv6:::1])i4LLew6D096819
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Fri, 21 May 2004 22:40:58 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)id i4LLewup096818;
	Fri, 21 May 2004 22:40:58 +0100 (BST)	(envelope-from matthew)
Date: Fri, 21 May 2004 22:40:58 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: Tom Rhodes <trhodes@FreeBSD.org>
Message-ID: <20040521214058.GD89897@happy-idiot-talk.infracaninophile.co.uk>
Mail-Followup-To: Tom Rhodes <trhodes@FreeBSD.org>,
	RazorOnFreeBSD <yann.luppo@attglobal.net>,
	freebsd-security@FreeBSD.org
References: <021f01c43f3a$e7eb7f40$0f01a8c0@razor>
	<20040521200254.GC89897@happy-idiot-talk.infracaninophile.co.uk>
	<20040521161133.080c23d7@localhost>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="iVCmgExH7+hIHJ1A"
Content-Disposition: inline
In-Reply-To: <20040521161133.080c23d7@localhost>
User-Agent: Mutt/1.5.6i
X-Virus-Scanned: clamd / ClamAV version devel-20040504, clamav-milter version
	0.70u
X-Virus-Status: Clean
X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham 
	version=2.63
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on 
	happy-idiot-talk.infracaninophile.co.uk
cc: freebsd-security@FreeBSD.org
cc: RazorOnFreeBSD <yann.luppo@attglobal.net>
Subject: Re: Hacked or not ?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 May 2004 21:41:11 -0000


--iVCmgExH7+hIHJ1A
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, May 21, 2004 at 04:11:33PM -0400, Tom Rhodes wrote:
> On Fri, 21 May 2004 21:02:54 +0100
> Matthew Seaman <m.seaman@infracaninophile.co.uk> wrote:
>=20
> > On Fri, May 21, 2004 at 03:52:45PM +0200, RazorOnFreeBSD wrote:
> >=20
> > > I have a 4.9-STABLE FreeBSD box apparently hacked!
> > > Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.=
=20
> > > Those are:
> > > chfn     ... INFECTED
> > > chsh    ... INFECTED
> > > date     ... INFECTED
> > > ls         ... INFECTED
> > > ps        ... INFECTED
> >=20
> > Sheesh.  Not this *again*.  This is a false alarm: chkrootkit is
> > exceedingly sensitive to something about the way such programs work
> > under FreeBSD and has to be continually futzed so that it knows not to
> > complain on each successive version of FreeBSD.  Comes up in this or
> > other FreeBSD lists just about every week.
> >=20
> > Relax.  You're not compromised.  You just need better tools.
> >=20
>=20
> I love the "just need better tools." without any recommendation
> for him.

Well, the question was "has my machine been compromised", which I
answered. =20

The current version of chkrootkit in ports (0.43) has a problem
whereby it thinks FreeBSD 4.10 is a higher version than FreeBSD 5.0,
which means that it reports certain programs are infected because they
*don't* fail in the expected way found on 5.0 or above.  Here's a
patch:

--- chkrootkit.orig	Fri May 21 22:19:16 2004
+++ chkrootkit	Fri May 21 22:36:29 2004
@@ -257,7 +257,7 @@
 {
     prog=3D""
     if [  \( "${SYSTEM}" =3D "Linux"  -o \( "${SYSTEM}" =3D "FreeBSD" -a \
-       ${V} -gt 43 \) \) -a "${ROOTDIR}" =3D "/" ]; then
+       ${V} -gt 403 \) \) -a "${ROOTDIR}" =3D "/" ]; then
       [ ! -x /usr/local/sbin/chkproc ] && prog=3D"/usr/local/sbin/chkproc"
       [ ! -x /usr/local/sbin/chkdirs ] && prog=3D"$prog /usr/local/sbin/ch=
kdirs"
       if [ "$prog" !=3D "" ]; then
@@ -1080,7 +1080,7 @@
              STATUS=3D${INFECTED}
           fi;;
        FreeBSD)
-          [ $V -gt 50 ] && n=3D1 || n=3D2
+          [ $V -gt 500 ] && n=3D1 || n=3D2
           if [ `${strings} -a ${CMD} | \
                 ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]
           then
@@ -1114,7 +1114,7 @@
              fi
           fi;;
        FreeBSD)
-          [ $V -gt 50 ] && n=3D1 || n=3D2
+          [ $V -gt 500 ] && n=3D1 || n=3D2
           if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABE=
L}"` -ne $n ]
              then
              STATUS=3D${INFECTED}
@@ -1145,10 +1145,10 @@
     ret=3D`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"`
     if [ ${ret} -gt 0 ]; then
         case ${ret} in
-        1) [ "${SYSTEM}" =3D "OpenBSD" -a ${V} -le 27 -o ${V} -ge 30 ] && \
+        1) [ "${SYSTEM}" =3D "OpenBSD" -a ${V} -le 207 -o ${V} -ge 300 ] &=
& \
              STATUS=3D${NOT_INFECTED} || STATUS=3D${INFECTED};;
         2) [ "${SYSTEM}" =3D "FreeBSD"  -o ${SYSTEM} =3D "NetBSD" -o ${SYS=
TEM} =3D \
-"OpenBSD" -a  ${V} -ge 28 ] && STATUS=3D${NOT_INFECTED} || STATUS=3D${INFE=
CTED};;
+"OpenBSD" -a  ${V} -ge 208 ] && STATUS=3D${NOT_INFECTED} || STATUS=3D${INF=
ECTED};;
=20
         *) STATUS=3D${INFECTED};;
         esac
@@ -1622,7 +1622,7 @@
         expertmode_output "${ls} -l ${CMD}"
         return 5
     fi
-    [ "${SYSTEM}" =3D "FreeBSD" -a $V -gt 50 ] &&
+    [ "${SYSTEM}" =3D "FreeBSD" -a $V -gt 500 ] &&
     {
        if [ `${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | \
           ${egrep} -c "$S_L"` -ne 2 ]; then
@@ -2398,9 +2398,9 @@
 SYSTEM=3D`${uname} -s`
 VERSION=3D`${uname} -r`
 if [ "${SYSTEM}" !=3D "FreeBSD" -a ${SYSTEM} !=3D "OpenBSD" ] ; then
-   V=3D44
+   V=3D404
 else
-   V=3D`echo $VERSION | cut -d- -f 1 | ${sed} 's/\.//g'`
+   V=3D$(( `echo $VERSION | cut -d- -f 1 | ${sed} 's/\./ * 100 + /g'` ))
 fi
=20
 # ps command

Better tools in this case: in this case, I'd say tripwire or one of
the work-alikes. =20

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--iVCmgExH7+hIHJ1A
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFArndqiD657aJF7eIRAiRxAKC1khe6tvA4zXKIK2Weh/TRZevaewCggUvh
2cOfVvjSgzeqZRzp6c07f10=
=6uto
-----END PGP SIGNATURE-----

--iVCmgExH7+hIHJ1A--