From owner-freebsd-questions@FreeBSD.ORG Thu Apr 15 02:04:15 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EDC216A4CE for ; Thu, 15 Apr 2004 02:04:15 -0700 (PDT) Received: from discordia.pl (discordia.pl [212.160.154.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1211B43D2D for ; Thu, 15 Apr 2004 02:04:15 -0700 (PDT) (envelope-from toread@discordia.pl) Received: from localhost (localhost.discordia.pl [127.0.0.1]) by discordia.pl (Postfix) with ESMTP id 17B4073815 for ; Thu, 15 Apr 2004 11:04:10 +0200 (CEST) Received: from discordia.pl ([127.0.0.1]) by localhost (discordia.pl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 91685-05 for ; Thu, 15 Apr 2004 11:04:07 +0200 (CEST) Received: by discordia.pl (Postfix, from userid 1001) id 618D973816; Thu, 15 Apr 2004 11:04:07 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by discordia.pl (Postfix) with ESMTP id 4DAB373815 for ; Thu, 15 Apr 2004 11:04:07 +0200 (CEST) Date: Thu, 15 Apr 2004 11:04:07 +0200 (CEST) From: Piotr Gnyp To: questions@freebsd.org Message-ID: Organization: The Golden Apple Corp MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by amavisd-new (DrWeb at discordia.pl) Subject: false positive, or server hacked? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 09:04:15 -0000 Hi, I`m running FreeBSD 5.2.1-p4, I`ve just installed new version of chkrootkit 0.43 from freshports, and report follows: Checking `date'... INFECTED Checking `lkm'... You have 115 process hidden for readdir command You have 23 process hidden for ps command Warning: Possible LKM Trojan installed ll of /bin/date -r-xr-xr-x 1 root wheel 14776 30 Mar 13:20 /bin/date Please advice.