From owner-freebsd-security@FreeBSD.ORG Thu May 12 21:00:10 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B72716A4CE for ; Thu, 12 May 2005 21:00:10 +0000 (GMT) Received: from rwcrmhc14.comcast.net (rwcrmhc14.comcast.net [216.148.227.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA89543D62 for ; Thu, 12 May 2005 21:00:09 +0000 (GMT) (envelope-from piechota@argolis.org) Received: from acropolis.argolis.org ([69.250.108.21]) by comcast.net (rwcrmhc14) with ESMTP id <2005051220574501400cempve>; Thu, 12 May 2005 20:57:45 +0000 Received: from acropolis.argolis.org (localhost [127.0.0.1]) by acropolis.argolis.org (8.13.3/8.13.1) with ESMTP id j4CKvYKo040132; Thu, 12 May 2005 16:57:34 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)j4CKvYRA040129; Thu, 12 May 2005 16:57:34 -0400 (EDT) (envelope-from piechota@argolis.org) X-Authentication-Warning: acropolis.argolis.org: piechota owned process doing -bs Date: Thu, 12 May 2005 16:57:30 -0400 (EDT) From: Matt Piechota To: DH In-Reply-To: <20050512163806.98442.qmail@web20424.mail.yahoo.com> Message-ID: <20050512160348.J38870@acropolis.argolis.org> References: <20050512163806.98442.qmail@web20424.mail.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-security@freebsd.org Subject: Re: Do I have an infected init file? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2005 21:00:10 -0000 On Thu, 12 May 2005, DH wrote: > I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 & > 0.45 report that my /sbin/init file is infected. I should mention that 4.10-release is up to p13. You should really think about patching up to current. > It appears as though the egrep for "UPX" in the output of "strings" > triggers the infected notice. When I copy the init file from an > uninfected box to this one chkrootkit continues to report it as > infected. Is chkrootkit reading a copy of the /sbin/init file stored in > active memory? If my machine is compromised, which rootkit is installed > / how can I find out which rootkit is installed? The easiest way to figure out if you are rooted is probably to download or create a clean version of /sbin/init, and compare the two files. Creating might take some work, you'd have to install a clean 4.10, patch it to p2, and make world. -- Matt Piechota Key Available from pgp.mit.edu PGP Key fingerprint = FC90 4D65 2F8A 38E9 D1A8 FABB 7AE8 C194 5EC8 9CAD