From owner-freebsd-questions@FreeBSD.ORG Fri Apr 11 01:32:28 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A00737B401 for ; Fri, 11 Apr 2003 01:32:28 -0700 (PDT) Received: from man-97-187.ResHall.Berkeley.EDU (man-97-187.Reshall.Berkeley.EDU [169.229.97.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id E946143F3F for ; Fri, 11 Apr 2003 01:32:27 -0700 (PDT) (envelope-from lou@man-97-187.ResHall.Berkeley.EDU) Received: from man-97-187.ResHall.Berkeley.EDU (localhost [127.0.0.1]) h3B8TIa0021062; Fri, 11 Apr 2003 01:29:19 -0700 (PDT) (envelope-from lou@man-97-187.ResHall.Berkeley.EDU) Received: from localhost (lou@localhost)id h3B8TIvQ021059; Fri, 11 Apr 2003 01:29:18 -0700 (PDT) Date: Fri, 11 Apr 2003 01:29:17 -0700 (PDT) From: Tak Pui LOU To: no name In-Reply-To: Message-ID: <20030411012148.Y20688@man-97-187.ResHall.Berkeley.EDU> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: rofug@rofug.ro cc: freebsd-questions@freebsd.org Subject: Re: LKM problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2003 08:32:28 -0000 Although there is nothing detected in my LKM, I have the same question. I have the following output: Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED What does INFECTED here imply? I just did an cvs to -current src-all and did a buildworld etc. Are these "INFECTED" programs normal after a -current buildworld from R5.0? --- Takpui On Fri, 11 Apr 2003, no name wrote: > chkrootkit output follows (stripped out useless stuff): > > > > > Checking `chfn'... INFECTED > Checking `chsh'... INFECTED > Checking `date'... INFECTED > Checking `ps'... INFECTED > Checking `lkm'... You have 2 process hidden for readdir command > You have 13 process hidden for ps command > Warning: Possible LKM Trojan installed > Can anyone please advise ? i wouldn't want to reinstall the system from > scratch (with all it's requirements that would take about 3-4 days) > > i tried cvsup src-all and make world but the infected binaries remained > i even tried compiling by hand in /usr/src/bin/ls but the resulted binaries > would still appear infected. Assuming there was something wrong with > chkrootkit i tried checking a ls binary compiled on a similar system and it > found it clean. I couldn't use the 'ps' binary from the remote system > root@box ~/bin# ./ps > ps: proc size mismatch (36936 total, 1060 chunks) > root@box ~/bin# > > If anyone can help i would like to find that rootkit and study it > > Thanx in advance > > > > > > > > > > > _________________________________________________________________ > The new MSN 8: smart spam protection and 2 months FREE* > http://join.msn.com/?page=features/junkmail > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >