From owner-freebsd-questions@FreeBSD.ORG Sun Apr 9 18:12:00 2006 Return-Path: X-Original-To: questions@FreeBSD.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B576016A419 for ; Sun, 9 Apr 2006 18:12:00 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75B5643D48 for ; Sun, 9 Apr 2006 18:12:00 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 5E69C1A4E16; Sun, 9 Apr 2006 11:12:00 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 88E1A515A6; Sun, 9 Apr 2006 14:11:59 -0400 (EDT) Date: Sun, 9 Apr 2006 14:11:59 -0400 From: Kris Kennaway To: Vitaliy K Message-ID: <20060409181159.GA83895@xor.obsecurity.org> References: <1788496101.20060409203951@alf-ua.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf" Content-Disposition: inline In-Reply-To: <1788496101.20060409203951@alf-ua.com> User-Agent: Mutt/1.4.2.1i Cc: questions@FreeBSD.org Subject: Re: chkrootkit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Apr 2006 18:12:00 -0000 --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 09, 2006 at 08:39:51PM +0300, Vitaliy K wrote: > ??, questions! >=20 > I badly know english, beforehand I apologize for the illiteracy. >=20 > I ask the help you in the decision of my problem. >=20 > I have loaded program stock-takings rootkit from a site > http://www.chkrootkit.org/. >=20 > Has started, and has received below resulted result. I am disturbed > with a line Checking `date'... INFECTED >=20 > # ./chkrootkit > ROOTDIR is `/' > Checking `amd'... not infected > Checking `basename'... not infected > Checking `biff'... not infected > Checking `chfn'... not infected > Checking `chsh'... not infected > Checking `cron'... not infected > Checking `date'... INFECTED > How to me to be? It is a mistake of developers of the program or yours? Most likely the program is wrong, this kind of utility really only makes wild guesses. But you never know, so if you have other reason to believe your system was compromised you should still consider taking action. Kris --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFEOU5vWry0BWjoQKURAofjAKCexSr06WqnHWz9w5MWf1si6HyCgwCgvX9s bUzjdwTML9kjiwXUbxWuHh8= =G2/8 -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf--