Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 20 Nov 2007 19:01:20 +0200
From:      Nikolay Pavlov <qpadla@gmail.com>
To:        freebsd-security@freebsd.org
Cc:        JP <johnpollock@bellsouth.net>
Subject:   Re: chkrootkit V. 0.47
Message-ID:  <200711201901.28546.qpadla@gmail.com>
In-Reply-To: <200711200941.52719.johnpollock@bellsouth.net>
References:  <200711200941.52719.johnpollock@bellsouth.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Tuesday 20 November 2007 16:41:52 JP wrote:
> Running freeBSD 6.1
>
> After changing chkrootkit to the latest version V. 0.47 and compiling it
> then running it I get the following:
>
> ==================<SNIPPIT>================
> Searching for anomalies in shell history files... nothing found
> Checking `asp'... not infected
> Checking `bindshell'... INFECTED (PORTS:  6667)
> Checking `lkm'... You have   131 process hidden for readdir command
> chkproc: Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'... vr0 is not promisc
> Checking `w55808'... not infected
> Checking `wted'... chkwtmp: nothing deleted
> ==================</SNIPPIT>================
>
> Looking above, the above shows a few anomalies like the bindshell ...
> INFECTED (PORTS: 6667)
> --and--
> Checking `lkm'... You have   131 process hidden for readdir command
> chkproc: Warning: Possible LKM Trojan installed
>
> I do run an IRCd, and also YABB Message board along with APACHE web
> server - would the above then be normal output, and what about the lkm?
> Many thanks to those with more experience in this area.
>

Such tools is known to trigger false positives sometimes. I'd recommend to 
play with some additional utilities like lsof. In case of bindshell try to 
find processes that was executed from world writable directories such 
as /tmp. Try to shutdown httpd and other daemons and see if any of them 
still running. 


-- 
======================================================================  
- Best regards, Nikolay Pavlov. <<<-----------------------------------    
======================================================================  


[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBHQxLo/2R6KvEYGaIRAgO6AKCdyt/Xb48JwvriybSNgI39ZWkdzgCg6pXz
m6qVgmTeYbFrT4eNokrTLmc=
=6PRK
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711201901.28546.qpadla>