Date: Sun, 27 Apr 2003 07:09:10 -0400 From: "email" <tony@armstrong.org.uk> To: freebsd-questions@freebsd.org Subject: FreeBSD-chkrootkit-concerns Message-ID: <200304271109.h3RB9AF5016949@armstrong.org.uk>
next in thread | raw e-mail | index | archive | help
hello, I am new to BSD but have been using linux for quite some time and never come across this before on a system i have used. I have a question which i posted on a BSD forum concerning chkrootkit and FreeBSD release 5.0. I installed FreeBSD and 2 days later when i ran chkrootkit i had the following come up as being infected chfn, chsh, date,ls and ps. The forum admin said that this had already been noted and pointed me to here, http://www.freebsd.org/cgi/search.cgi?words=chkrootkit&max=25&sort=score&index=recent&source=freebsd-questions Having looked through the posts i can see that there has been an issue regarding FreeBSD and chkrootkit, however i thought i would have a look at 'date' in /bin to be on the safe side. When i did 'strings date' i had the following which makes me think that the system is hosed. This is only extracts from the content i found in 'date' (it goes on for a few pages), and some of the other commands i checked have the same. ---------------------------------------------------------------------------------------- fatal flex scanner internal error--no action found fatal flex scanner internal error--end of buffer missed input buffer overflow, can't enlarge buffer because scanner uses REJECT out of dynamic memory in yy_create_buffer() out of dynamic memory in yy_scan_buffer() out of dynamic memory in yy_scan_bytes() input in flex scanner failed bad buffer in yy_scan_bytes() %s line %d: %s at '%s' 0123456789 0123456789abcdef 0123456789ABCDEF %s: Unknown error: %u.%u.%u.%u /usr/bin:/bin:/usr/sbin:/sbin: 0123456789abcdef (null) RPC: Success RPC: Can't encode arguments RPC: Can't decode result RPC: Unable to send RPC: Unable to receive RPC: Timed out RPC: Authentication error RPC: Program unavailable RPC: Program/version mismatch RPC: Procedure unavailable RPC: Remote system error RPC: Unknown host RPC: Port mapper failure RPC: Program not registered RPC: Unknown protocol RPC: (unknown error code) /var/run/rpcbind.sock 127.0.0.1 gethostbyname gethostbyaddr gethostby*.gethostanswer: asked for "%s", got "%s" gethostby*.gethostanswer: asked for "%s %s %s", got type "%s" Impossible condition (type=%d) static buffer is too small (%d) size (%d) too big Too many addresses (%d) res_search failed (%d) master.passwd.byname passwd.adjunct.byname passwd-%u passwd master.passwd.byuid getpwcompat passwd_compat getpwent getpwnam getpwuid /etc/spwd.db /etc/pwd.db ------------------------------------------------------------------------------- I have compared it with 'date' on another PC running Debian that one only shows text to do with date i.e months days etc. It's just when i posted this on the forum the admin said "I think that you are overanalyzing here... and many people had noticed this and it was due to FreeBSD 5.0 being unsupported by chkrootkit, but if i still thought i was hosed, then i should post to this mailing list. Have i been hosed or am i just overanalyzing? I would rather be over cautious that under cautious. Tony. -- NeoMail . http://neomail.sourceforge.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200304271109.h3RB9AF5016949>