From owner-freebsd-questions Wed Feb 12 23:39:16 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C80DB37B401 for ; Wed, 12 Feb 2003 23:39:15 -0800 (PST) Received: from mtiwmhc12.worldnet.att.net (mtiwmhc12.worldnet.att.net [204.127.131.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1B3543FA3 for ; Wed, 12 Feb 2003 23:39:14 -0800 (PST) (envelope-from t.zim@att.net) Received: from att.net (226.knoxville-01-02rs.tn.dial-access.att.net[12.93.208.226]) by mtiwmhc12.worldnet.att.net (mtiwmhc12) with SMTP id <2003021307391311200lf2ope>; Thu, 13 Feb 2003 07:39:13 +0000 Message-ID: <3E4B4B98.30300@att.net> Date: Thu, 13 Feb 2003 02:39:04 -0500 From: Todd Zimmermann User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.2.1) Gecko/20030206 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: chkrootkit on 5.0-release... false positive? Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Was wondering if anyone else has gotten positives on a rather vague lkm trojan when running chkrootkit on 5.0-release p1 ? I ran it occasionally on 4.7 stable and it never found anything. It's reporting chfn, chsh, date, ls, and ps as infected and a possible lkm trojan being loaded, plus 8-12 processes hidden from ps. Thinking its probably just the port not being in sync with the new release but being a believer in paranoia... Any feedback would be appreciated. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message