From owner-freebsd-questions@FreeBSD.ORG  Thu May 13 13:05:52 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0949F16A4CF
	for <freebsd-questions@freebsd.org>;
	Thu, 13 May 2004 13:05:52 -0700 (PDT)
Received: from mtaw4.prodigy.net (mtaw4.prodigy.net [64.164.98.52])
	by mx1.FreeBSD.org (Postfix) with ESMTP id ABABA43D5E
	for <freebsd-questions@freebsd.org>;
	Thu, 13 May 2004 13:05:51 -0700 (PDT)
	(envelope-from kris@obsecurity.org)
Received: from obsecurity.dyndns.org
	(e932bacf50d57e178a70166119e35030@adsl-67-115-73-128.dsl.lsan03.pacbell.net
	[67.115.73.128])
	by mtaw4.prodigy.net (8.12.10/8.12.10) with ESMTP id i4DK5jNu014945;
	Thu, 13 May 2004 13:05:45 -0700 (PDT)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id BCFF851BB5; Thu, 13 May 2004 13:05:45 -0700 (PDT)
Date: Thu, 13 May 2004 13:05:45 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: "Shaun T. Erickson" <ste@smxy.org>
Message-ID: <20040513200545.GB8931@xor.obsecurity.org>
References: <40A3CBB8.1090202@smxy.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="dTy3Mrz/UPE2dbVg"
Content-Disposition: inline
In-Reply-To: <40A3CBB8.1090202@smxy.org>
User-Agent: Mutt/1.4.2.1i
cc: freebsd-questions@freebsd.org
Subject: Re: chkrootkit says 'date' is infected
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2004 20:05:52 -0000


--dTy3Mrz/UPE2dbVg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, May 13, 2004 at 03:25:44PM -0400, Shaun T. Erickson wrote:
> I just installed and ran the chkrootkit port on my 5.2.1-RELEASE-p5=20
> system. It says my date command is infected. Nothing else, just that.=20
> How can I determine if this is a false positive or if I'm truly hacked?

Talk to the chkrootkit developers.  Their tool provides so many false
positives that they're the ones who should be bearing the
responsibility for dealing with user confusion :)

Kris

--dTy3Mrz/UPE2dbVg
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAo9UZWry0BWjoQKURAvNQAKDjOLzICVsbxwpKAjPCS6tNh295bgCfdEUo
eLaABPsRCA7AhReuhOYnybM=
=47Dl
-----END PGP SIGNATURE-----

--dTy3Mrz/UPE2dbVg--