Date: Tue, 28 Jan 2003 08:36:45 -0800 From: Brooks Davis <brooks@one-eyed-alien.net> To: Sascha Luck <bofh@online.ie> Cc: freebsd-security@FreeBSD.ORG Subject: Re: chkrootkit & FBSD-5 Message-ID: <20030128083645.A4998@Odin.AC.HMC.Edu> In-Reply-To: <200301281516.16413.bofh@online.ie>; from bofh@online.ie on Tue, Jan 28, 2003 at 03:16:07PM %2B0000 References: <20030128085617.L167@woody.ops.uunet.co.za> <200301281516.16413.bofh@online.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
--x+6KMIRAuhnl3hBn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 28, 2003 at 03:16:07PM +0000, Sascha Luck wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > Hello all, >=20 > on my CURRENT boxes, chkrootkit (v0.38) reports the following binaries=20 > as INFECTED: >=20 > chfn > chsh > date > ls > ps >=20 > as well as 7 hidden PIDs. >=20 > recompiling/reinstalling the binaries seems to have no effect. I'm=20 > tempted to regard these as false positives - anyone else notice this=20 > behaviour? Someone else mentioned it to me. They now contain the string "/bin/sh" which chkrootkit looks for. I'd be curious to know why they do. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --x+6KMIRAuhnl3hBn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+NrGcXY6L6fI4GtQRAtbvAKDIMdg8UHiADe+HBuJXQje0RtlxUACcCJE7 JYSHFkCFsbVLwlH812MnOXQ= =Q/nb -----END PGP SIGNATURE----- --x+6KMIRAuhnl3hBn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030128083645.A4998>