Date: Thu, 12 May 2005 09:38:06 -0700 (PDT) From: DH <dhutch9999@yahoo.com> To: freebsd-security@freebsd.org Subject: Do I have an infected init file? Message-ID: <20050512163806.98442.qmail@web20424.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
--0-911594080-1115915886=:97759 Content-Type: text/plain; charset=us-ascii Hello; I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 & 0.45 report that my /sbin/init file is infected. It appears as though the egrep for "UPX" in the output of "strings" triggers the infected notice. When I copy the init file from an uninfected box to this one chkrootkit continues to report it as infected. Is chkrootkit reading a copy of the /sbin/init file stored in active memory? If my machine is compromised, which rootkit is installed / how can I find out which rootkit is installed? As a side note, neither Kaspersky AV nor rkhunter report any infections. Attached is some of the debug output. Thanks in advance to any respondents. Sincerely; David Hutchens III --------------------------------- Discover Yahoo! Find restaurants, movies, travel & more fun for the weekend. Check it out! --0-911594080-1115915886=:97759--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050512163806.98442.qmail>