From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 14:25:06 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB86516A4CE for ; Wed, 18 Aug 2004 14:25:06 +0000 (GMT) Received: from smtp.mi.is (smtp.mi.is [217.151.180.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B4F143D39 for ; Wed, 18 Aug 2004 14:25:05 +0000 (GMT) (envelope-from thib@mi.is) Received: from caulfield (bofh.bitcode.org [217.151.165.254]) by smtp.mi.is (8.12.10/8.12.10/1.0.1) with SMTP id i7IEP4iv015235 for ; Wed, 18 Aug 2004 14:25:04 GMT Date: Wed, 18 Aug 2004 14:25:11 +0000 From: "Thordur Ivar B." To: freebsd-security@freebsd.org Message-Id: <20040818142511.390043af.thib@mi.is> In-Reply-To: <20040818121102.95460.qmail@web52402.mail.yahoo.com> References: <20040818121102.95460.qmail@web52402.mail.yahoo.com> Organization: n/a X-Mailer: Sylpheed version 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: chfn, date, chsh INFECTED according to chkrootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 14:25:06 -0000 On Wed, 18 Aug 2004 05:11:02 -0700 (PDT) probsd org wrote: > I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and > noticed that chfn, date, and chsh showed as being > infected. I remember reading post from the past that > right now chkrootkit is giving alot of false > positives, so I suspected that these 3 binaries are > not bad. > > However, to be on the safe side, I deleted the 3 > binaries, removed /usr/src and did a 'make world' to > 4.10-STABLE. > > But, chfn, cfsh, and date are stilling showing as > infected. > > Is my assumption that I am seeing a false positive > correct, or anyone know of an exploit that would > affect these 3 binaries ( and even after a 'make > world' from clean src )? > > Michael > These are false positives. I had this showing on a box of mine (chkrootkit-0.43). And What I did was remove the binarys and resync'ed my source and did a new build. But still, you can only be sure if you trust you CVS checkout. I have found it rather annyoing not have'ing checksums of each and every file in /usr/src. And having a "secure" (man-in-the-middle attack, etc comes in mind) way of optaining the checksum file.( A good shell script could verify the checkout and you could sleep easy ;) Do correct me about the checksums if I'm wrong. -- As far as the laws of mathematics refer to reality, they are not certain, and as far as they are certain, they do not refer to reality. -- Albert Einstein