From owner-freebsd-stable@FreeBSD.ORG Wed Dec 27 03:44:52 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9BDEE16A407 for ; Wed, 27 Dec 2006 03:44:52 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.freebsd.org (Postfix) with ESMTP id 88AAF13C46F for ; Wed, 27 Dec 2006 03:44:52 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 6759A1A4D81; Tue, 26 Dec 2006 19:44:52 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id B306051870; Tue, 26 Dec 2006 22:44:51 -0500 (EST) Date: Tue, 26 Dec 2006 22:44:51 -0500 From: Kris Kennaway To: Matthew Herzog Message-ID: <20061227034451.GA9859@xor.obsecurity.org> References: <7cf39bb60612231257p1a8a62c3g43a9da939306a59e@mail.gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo" Content-Disposition: inline In-Reply-To: <7cf39bb60612231257p1a8a62c3g43a9da939306a59e@mail.gmail.com> User-Agent: Mutt/1.4.2.2i Cc: freebsd-stable@freebsd.org Subject: Re: chkrootkit finds 94 process hidden for readdir X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Dec 2006 03:44:52 -0000 --envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Dec 23, 2006 at 03:57:35PM -0500, Matthew Herzog wrote: > Hello. >=20 > I run FreeBSD 6.1-RELEASE-p7 on an UltraSparc 5 machine. >=20 > I ran chkrootkit yesterday and saw this: >=20 > Checking `lkm'... You have 94 process hidden for readdir command > chkproc: Warning: Possible LKM Trojan installed >=20 > Everything else was deemed clean by chkrootkit. >=20 > When I booted into single user mode and ran chkrootkit it said there were > "33 process hidden for readdir command" >=20 > The sha256 checksum is slightly different for the /usr/bin/su binary > on the install > media compared to the /usr/bin/su on the running install. >=20 > I could find nothing definitive on this subject posted online so . . . . Most likely this is just another false positive with this inherently unreliable problem. Kris --envbJBWh7q8WU6mo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFkewzWry0BWjoQKURAqe7AJ9C7iaDBT3o0iY8T6kiRg8rwJ3gwACcDIP4 b5ogf7Kzu7Sp8/B5wWaqk8w= =2UZg -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo--