Date: Tue, 20 Nov 2007 19:01:20 +0200 From: Nikolay Pavlov <qpadla@gmail.com> To: freebsd-security@freebsd.org Cc: JP <johnpollock@bellsouth.net> Subject: Re: chkrootkit V. 0.47 Message-ID: <200711201901.28546.qpadla@gmail.com> In-Reply-To: <200711200941.52719.johnpollock@bellsouth.net> References: <200711200941.52719.johnpollock@bellsouth.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2161170.EXYidJLSFf Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 20 November 2007 16:41:52 JP wrote: > Running freeBSD 6.1 > > After changing chkrootkit to the latest version V. 0.47 and compiling it > then running it I get the following: > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<SNIPPIT>=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... INFECTED (PORTS: 6667) > Checking `lkm'... You have 131 process hidden for readdir command > chkproc: Warning: Possible LKM Trojan installed > Checking `rexedcs'... not found > Checking `sniffer'... vr0 is not promisc > Checking `w55808'... not infected > Checking `wted'... chkwtmp: nothing deleted > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</SNIPPIT>=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > Looking above, the above shows a few anomalies like the bindshell ... > INFECTED (PORTS: 6667) > --and-- > Checking `lkm'... You have 131 process hidden for readdir command > chkproc: Warning: Possible LKM Trojan installed > > I do run an IRCd, and also YABB Message board along with APACHE web > server - would the above then be normal output, and what about the lkm? > Many thanks to those with more experience in this area. > Such tools is known to trigger false positives sometimes. I'd recommend to= =20 play with some additional utilities like lsof. In case of bindshell try to= =20 find processes that was executed from world writable directories such=20 as /tmp. Try to shutdown httpd and other daemons and see if any of them=20 still running.=20 =2D-=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 =2D Best regards, Nikolay Pavlov. <<<----------------------------------- = =20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 --nextPart2161170.EXYidJLSFf Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBHQxLo/2R6KvEYGaIRAgO6AKCdyt/Xb48JwvriybSNgI39ZWkdzgCg6pXz m6qVgmTeYbFrT4eNokrTLmc= =6PRK -----END PGP SIGNATURE----- --nextPart2161170.EXYidJLSFf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711201901.28546.qpadla>