Date: Tue, 28 Jan 2003 08:36:45 -0800 From: Brooks Davis <brooks@one-eyed-alien.net> To: Sascha Luck <bofh@online.ie> Cc: freebsd-security@FreeBSD.ORG Subject: Re: chkrootkit & FBSD-5 Message-ID: <20030128083645.A4998@Odin.AC.HMC.Edu> In-Reply-To: <200301281516.16413.bofh@online.ie>; from bofh@online.ie on Tue, Jan 28, 2003 at 03:16:07PM %2B0000 References: <20030128085617.L167@woody.ops.uunet.co.za> <200301281516.16413.bofh@online.ie>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Tue, Jan 28, 2003 at 03:16:07PM +0000, Sascha Luck wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello all, > > on my CURRENT boxes, chkrootkit (v0.38) reports the following binaries > as INFECTED: > > chfn > chsh > date > ls > ps > > as well as 7 hidden PIDs. > > recompiling/reinstalling the binaries seems to have no effect. I'm > tempted to regard these as false positives - anyone else notice this > behaviour? Someone else mentioned it to me. They now contain the string "/bin/sh" which chkrootkit looks for. I'd be curious to know why they do. -- Brooks -- Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+NrGcXY6L6fI4GtQRAtbvAKDIMdg8UHiADe+HBuJXQje0RtlxUACcCJE7 JYSHFkCFsbVLwlH812MnOXQ= =Q/nb -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030128083645.A4998>