From owner-freebsd-security@FreeBSD.ORG Fri May 13 01:51:12 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1B5716A4CE for ; Fri, 13 May 2005 01:51:12 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78BB643D82 for ; Fri, 13 May 2005 01:51:12 +0000 (GMT) (envelope-from d4rkstorm@gmail.com) Received: by rproxy.gmail.com with SMTP id i8so139446rne for ; Thu, 12 May 2005 18:51:12 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=A3jIleMCjkEYQhf/CfXJTrhgolGvv2CHjHK92FX+gD4wwLLAAdu1JLfDzv4Do0rfKjiI6s1+Pwwrj6KvbrwhVc7hkxuaKDFCs2VsMs4yMb4gi5NnnUKqVNtm9SdRz18HKUK/c5p/1xvlnS7eAXLm9yKVW3180mlWJIhyBHJOR/E= Received: by 10.39.3.47 with SMTP id f47mr506928rni; Thu, 12 May 2005 18:51:12 -0700 (PDT) Received: by 10.38.101.18 with HTTP; Thu, 12 May 2005 18:51:12 -0700 (PDT) Message-ID: <245f0df105051218514285cc49@mail.gmail.com> Date: Fri, 13 May 2005 11:51:12 +1000 From: "Drew B. [Security Expertise/Freelance Security research]." To: Matt Piechota In-Reply-To: <20050512160348.J38870@acropolis.argolis.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050512163806.98442.qmail@web20424.mail.yahoo.com> <20050512160348.J38870@acropolis.argolis.org> cc: freebsd-security@freebsd.org Subject: Re: Do I have an infected init file? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Drew B. \[Security Expertise/Freelance Security research\]." List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2005 01:51:13 -0000 Hello, I have used rootkit-hunter for Bsd, it can download MD5sums from whitehat which contains 'current' sigs, not that this matters, it only takes a good packagee,(ie file is encrypted, to bypass any rootkit revealer etc) However i do recommend rootkit-hunter, http://www.rootkit.nl ,it just runs when needed, (/rkhunter -c, /rkhunter --update), and it does a VERY thorough job, I recommend runing it without update forst,then update it, you will no doubt find some multiple package installs, wich seems to be a major problem with this, older package info staying in root,after package is updated. Hope this info is of any help, i can provide a detailed log of a rootkithunter.log..just ask me to attach a copy. Regards, Drew B. On 5/13/05, Matt Piechota wrote: > On Thu, 12 May 2005, DH wrote: >=20 > > I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 & > > 0.45 report that my /sbin/init file is infected. >=20 > I should mention that 4.10-release is up to p13. You should really think > about patching up to current. >=20 > > It appears as though the egrep for "UPX" in the output of "strings" > > triggers the infected notice. When I copy the init file from an > > uninfected box to this one chkrootkit continues to report it as > > infected. Is chkrootkit reading a copy of the /sbin/init file stored in > > active memory? If my machine is compromised, which rootkit is installed > > / how can I find out which rootkit is installed? >=20 > The easiest way to figure out if you are rooted is probably to download o= r > create a clean version of /sbin/init, and compare the two files. > Creating might take some work, you'd have to install a clean 4.10, patch > it to p2, and make world. >=20 > -- > Matt Piechota > Key Available from pgp.mit.edu > PGP Key fingerprint =3D FC90 4D65 2F8A 38E9 D1A8 FABB 7AE8 C194 5EC8 9CA= D > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" >=20 --=20 ------------------------------------------ Drew B. /* Security researcher/expert,threat-focus,Freelance */ ------------------------------------------