Date: Thu, 6 Feb 2003 23:22:51 -0800 (PST) From: Jeff Jirsa <jeff@unixconsults.com> To: "Remington L." <madriax@garlic.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: **CHHROOTKIT INFECTED** Message-ID: <20030206232135.K76913-100000@boris.st.hmc.edu> In-Reply-To: <000501c2ce72$949e2160$0100a8c0@SHMOOPIE>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 6 Feb 2003, Remington L. wrote: > I'm using 5.0 release > > OK I was just going through and I found that chkrootkit found that chfn, > chsh, date, and ls are infected. I'm not sure if it's lying or not. I > attempted to fix ls by recompiling from /usr/src/bin/ls and redoing but > chkrootkit still says infected. That's all the information I can provide > at this time. Has anyone come across this problem? Any suggestions? > Could be 5.0 causing this or is there some validity to it? You're not infected. chkrootkit checks for the presence of "/bin/sh" or "/bin/csh" in output of `strings <binary>`, and apparently this no longer works. You'll have to wait for chkrootkit to be updated to support FreeBSD 5. - Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030206232135.K76913-100000>