From owner-freebsd-security@FreeBSD.ORG Sun Aug 24 16:27:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D178216A4BF for ; Sun, 24 Aug 2003 16:27:44 -0700 (PDT) Received: from dns12.mail.yahoo.co.jp (dns12.mail.yahoo.co.jp [210.81.151.145]) by mx1.FreeBSD.org (Postfix) with SMTP id 7F4C743FA3 for ; Sun, 24 Aug 2003 16:27:43 -0700 (PDT) (envelope-from ayakokiko@ybb.ne.jp) Received: from unknown (HELO gorgon.near.this) (219.11.234.11 with poptime) by dns12.mail.yahoo.co.jp with SMTP; 24 Aug 2003 23:27:42 -0000 X-Apparently-From: Received: from ghost.near.this (ghost.near.this [10.0.3.9]) by gorgon.near.this (Postfix) with ESMTP id 4B8607F7D; Mon, 25 Aug 2003 08:27:40 +0900 (JST) Received: by ghost.near.this (Postfix, from userid 100) id F294119320; Mon, 25 Aug 2003 08:27:35 +0900 (JST) Date: Mon, 25 Aug 2003 08:27:33 +0900 From: horio shoichi To: patpro In-Reply-To: References: X-Mailer: Sylpheed version 0.9.3claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: <20030824.232734.8f68bd1f152d203f.10.0.3.9@bugsgrief.net> cc: freebsd-security@freebsd.org Subject: Re: weird problem with chkrootkit and checksums X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2003 23:27:44 -0000 On Sun, 24 Aug 2003 11:19:24 +0200 patpro wrote: > Hello, > > last night, my chkrootkit crontab returned an alarm message : > > > Checking `lkm'... You have 1 process hidden for readdir command > > You have 2 process hidden for ps command > > Warning: Possible LKM Trojan installed > > Some research on google make me think it's probably a false positive. I > tried few things : > > re-launching chkrootkit : "Checking `lkm'... nothing detected" > re-compiling and launching fresh binary : "Checking `lkm'... nothing > detected" > and comparing some critical binaries with the one compiled at the beginning > of august during a make world : > > $ md5 /usr/obj/usr/src/bin/ls/ls > MD5 (/usr/obj/usr/src/bin/ls/ls) = cd2dcad3cc08b5f5ad05456f016e8099 > $ md5 /bin/ls > MD5 (/bin/ls) = 1808e84cfcbaf71ce1073cc418ff262a > > $ md5 /usr/obj/usr/src/usr.bin/netstat/netstat > MD5 (/usr/obj/usr/src/usr.bin/netstat/netstat) = > 7fbd1e72a5795b038b16ece37df13ee0 > $ md5 /usr/bin/netstat > MD5 (/usr/bin/netstat) = 77bd719216a4bca383333a420b2d9501 > > I feel like there is something wrong here... > I picked up random binaries and compared their checksum with their > /usr/obj/usr/src/ counterpart and every time it does not match. > I tried the same checking on another box running the same version of FreeBSD > and found out the same different checksums : > > $ md5 /usr/obj/usr/src/usr.bin/netstat/netstat > MD5 (/usr/obj/usr/src/usr.bin/netstat/netstat) = > 7fbd1e72a5795b038b16ece37df13ee0 > $ md5 /usr/bin/netstat > MD5 (/usr/bin/netstat) = 77bd719216a4bca383333a420b2d9501 > > So I guess it's a normal behavior. Can someone please explain to me why > original binaries (/usr/obj/usr/src/) don't have the same checksum than > installed binaries ? > > thanks, > > patpro > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > Like this ? % ls -l /bin/ls -r-xr-xr-x 1 root wheel 304840 Aug 6 23:52 /bin/ls* % ls -l /usr/obj/usr/src/bin/ls/ls -rwxr-xr-x 1 root horio 328286 Aug 6 22:40 /usr/obj/usr/src/bin/ls/ls* % file /bin/ls /bin/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), for FreeBSD 4.8, statically linked, stripped % file /usr/obj/usr/src/bin/ls/ls /usr/obj/usr/src/bin/ls/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), for FreeBSD 4.8, statically linked, not stripped horio shoichi