From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 12:20:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31C0116A4CF for ; Wed, 18 Aug 2004 12:20:20 +0000 (GMT) Received: from web52402.mail.yahoo.com (web52402.mail.yahoo.com [206.190.39.110]) by mx1.FreeBSD.org (Postfix) with SMTP id AED1943D1D for ; Wed, 18 Aug 2004 12:20:19 +0000 (GMT) (envelope-from probsdorg@yahoo.com) Message-ID: <20040818121102.95460.qmail@web52402.mail.yahoo.com> Received: from [24.199.182.230] by web52402.mail.yahoo.com via HTTP; Wed, 18 Aug 2004 05:11:02 PDT Date: Wed, 18 Aug 2004 05:11:02 -0700 (PDT) From: probsd org To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: chfn, date, chsh INFECTED according to chkrootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 12:20:20 -0000 I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and noticed that chfn, date, and chsh showed as being infected. I remember reading post from the past that right now chkrootkit is giving alot of false positives, so I suspected that these 3 binaries are not bad. However, to be on the safe side, I deleted the 3 binaries, removed /usr/src and did a 'make world' to 4.10-STABLE. But, chfn, cfsh, and date are stilling showing as infected. Is my assumption that I am seeing a false positive correct, or anyone know of an exploit that would affect these 3 binaries ( and even after a 'make world' from clean src )? Michael __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail