From owner-freebsd-questions@FreeBSD.ORG  Fri Apr 11 00:37:33 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0ABD837B401
	for <freebsd-questions@freebsd.org>;
	Fri, 11 Apr 2003 00:37:33 -0700 (PDT)
Received: from hotmail.com (f81.law15.hotmail.com [64.4.23.81])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 446C943FA3
	for <freebsd-questions@freebsd.org>;
	Fri, 11 Apr 2003 00:37:32 -0700 (PDT)
	(envelope-from securifymybox@hotmail.com)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Fri, 11 Apr 2003 00:37:32 -0700
Received: from 80.86.100.172 by lw15fd.law15.hotmail.msn.com with HTTP;
	Fri, 11 Apr 2003 07:37:31 GMT
X-Originating-IP: [80.86.100.172]
X-Originating-Email: [securifymybox@hotmail.com]
From: "no name" <securifymybox@hotmail.com>
To: rofug@rofug.ro
Date: Fri, 11 Apr 2003 07:37:31 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F81bZNK0xGl8WibIP4s0000eaad@hotmail.com>
X-OriginalArrivalTime: 11 Apr 2003 07:37:32.0183 (UTC)
	FILETIME=[3640F270:01C2FFFD]
cc: freebsd-questions@freebsd.org
Subject: LKM problem
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Apr 2003 07:37:33 -0000

chkrootkit output follows (stripped out useless stuff):




Checking `chfn'... INFECTED
Checking `chsh'... INFECTED
Checking `date'... INFECTED
Checking `ps'... INFECTED
Checking `lkm'... You have     2 process hidden for readdir command
You have    13 process hidden for ps command
Warning: Possible LKM Trojan installed
Can anyone please advise ? i wouldn't want to reinstall the system from 
scratch (with all it's requirements that would take about 3-4 days)

i tried cvsup src-all and make world but the infected binaries remained
i even tried compiling by hand in /usr/src/bin/ls but the resulted binaries 
would still appear infected. Assuming there was something wrong with 
chkrootkit i tried checking a ls binary compiled on a similar system and it 
found it clean. I couldn't use the 'ps' binary from the remote system
root@box ~/bin# ./ps
ps: proc size mismatch (36936 total, 1060 chunks)
root@box ~/bin#

If anyone can help i would like to find that rootkit and study it

Thanx in advance










_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail