From owner-freebsd-questions@FreeBSD.ORG Thu Apr 15 01:00:01 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BAE716A4CE for ; Thu, 15 Apr 2004 01:00:01 -0700 (PDT) Received: from fwall.in.markiza.sk (fwall.in.markiza.sk [62.168.76.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE9FF43D48 for ; Thu, 15 Apr 2004 01:00:00 -0700 (PDT) (envelope-from corwin@pleiades.aeternal.net) Received: from pleiades.aeternal.net (pleiades.in.markiza.sk [192.168.13.7]) by fwall.in.markiza.sk (Postfix) with ESMTP id 524D32306B for ; Thu, 15 Apr 2004 10:00:00 +0200 (CEST) Received: from pleiades.aeternal.net (localhost [127.0.0.1]) by pleiades.aeternal.net (Postfix) with ESMTP id 2939F1703C for ; Thu, 15 Apr 2004 10:01:19 +0200 (CEST) Received: (from corwin@localhost) by pleiades.aeternal.net (8.12.10/8.12.10/Submit) id i3F81IgA053034 for freebsd-questions@freebsd.org; Thu, 15 Apr 2004 10:01:18 +0200 (CEST) (envelope-from corwin) Date: Thu, 15 Apr 2004 10:01:18 +0200 From: Martin Hudec To: freebsd-questions@freebsd.org Message-ID: <20040415080118.GG96246@pleiades.aeternal.net> References: <407D910F.8050507@pacbell.net> <20040415072917.GC40193@happy-idiot-talk.infracaninophile.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040415072917.GC40193@happy-idiot-talk.infracaninophile.co.uk> X-Copyright: (C) 2004 Martin Hudec X-Operating-System: FreeBSD pleiades.aeternal.net 5.2.1-RELEASE-p4 i386 X-PGP-Key: http://www.aeternal.net/corwin_aeternal.asc User-Agent: Mutt/1.5.6i Subject: Re: False positives from chkrootkit? or hacked test server? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Martin Hudec List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 08:00:01 -0000 Hello, thanks for the info :), that explains why my 4.9-STABLE was not infected and 4.10-BETA shows false positives.. But I am still bit unsure why my 5.2.1-RELEASE-p4 (not mentioning one false positive) stops while checking lkm.. Cheers, Martin On Thu, Apr 15, 2004 at 08:29:17AM +0100 or thereabouts, Matthew Seaman wrote: > In a word: yes. This was something that was quite a popular question > on this list some months back around the time of one of the earlier > 5.x releases. I don't remember anyone mentioning this in the context > of 4.9 or earlier systems, but that could just be my memory failing. > > http://lists.freebsd.org/pipermail/freebsd-security/2003-August/000755.html > > For the rest of the traffic look at: > > http://www.google.co.uk/search?hl=en&ie=UTF-8&oe=UTF-8&safe=off&q=site%3Alists.freebsd.org+chkrootkit+chfn+INFECTED&btnG=Search&meta= > > (Nb. chkrootkit has since been fixed to work correctly under 5.x) > > However see this: > > http://lists.freebsd.org/pipermail/freebsd-ports/2004-April/011362.html > -- Martin Hudec | corwin at aeternal.net | corwin at web.markiza.sk http://www.aeternal.net | cell +421 907 303 393