From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 17:29:28 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E536216A421 for ; Tue, 20 Nov 2007 17:29:28 +0000 (UTC) (envelope-from qpadla@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.freebsd.org (Postfix) with ESMTP id 7287D13C4B8 for ; Tue, 20 Nov 2007 17:29:27 +0000 (UTC) (envelope-from qpadla@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so1841514nfb for ; Tue, 20 Nov 2007 09:29:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:from:reply-to:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id; bh=toJ9XJucrK46k1PDhG9F/GGuPLlcnOpIVFbedm3qbks=; b=U901kWp/2fP1fk+6xoqrECImb5bnaCKELaBefzMxgHLSGA9ekh06MRc5ttm5J9HLtXDr7yf97MoEIWu+45jHLtaCtBs0LuKcyivtRjgHQZFPH6zllVOr41eEY7i7xwWmcnpYxEEaQHD8XIxQf+VLc4Q5sASCw4WKfjq8FQkewzg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:reply-to:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id; b=UYaSXMLCCL6g/FUuxNS3Tw4+eeaREFRvoVbi7sLW2S9orC0//RZ35J/sTtV4z2owaxuAPpDDHPd8vpmR2iLnk20T7sgSYFn2oNrnWIumyQiRcFHoqoLWLANyFtRuENCToNfGyxN5djhiKh4Owlkln5zZmmYYqJw97J5GKjgmT4I= Received: by 10.78.118.5 with SMTP id q5mr7011921huc.1195578089092; Tue, 20 Nov 2007 09:01:29 -0800 (PST) Received: from orion ( [89.162.141.1]) by mx.google.com with ESMTPS id k10sm8246222nfh.2007.11.20.09.01.26 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 20 Nov 2007 09:01:27 -0800 (PST) From: Nikolay Pavlov To: freebsd-security@freebsd.org Date: Tue, 20 Nov 2007 19:01:20 +0200 User-Agent: KMail/1.9.6 (enterprise 0.20070907.709405) References: <200711200941.52719.johnpollock@bellsouth.net> In-Reply-To: <200711200941.52719.johnpollock@bellsouth.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2161170.EXYidJLSFf"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200711201901.28546.qpadla@gmail.com> Cc: JP Subject: Re: chkrootkit V. 0.47 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: qpadla@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 17:29:29 -0000 --nextPart2161170.EXYidJLSFf Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 20 November 2007 16:41:52 JP wrote: > Running freeBSD 6.1 > > After changing chkrootkit to the latest version V. 0.47 and compiling it > then running it I get the following: > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... INFECTED (PORTS: 6667) > Checking `lkm'... You have 131 process hidden for readdir command > chkproc: Warning: Possible LKM Trojan installed > Checking `rexedcs'... not found > Checking `sniffer'... vr0 is not promisc > Checking `w55808'... not infected > Checking `wted'... chkwtmp: nothing deleted > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > Looking above, the above shows a few anomalies like the bindshell ... > INFECTED (PORTS: 6667) > --and-- > Checking `lkm'... You have 131 process hidden for readdir command > chkproc: Warning: Possible LKM Trojan installed > > I do run an IRCd, and also YABB Message board along with APACHE web > server - would the above then be normal output, and what about the lkm? > Many thanks to those with more experience in this area. > Such tools is known to trigger false positives sometimes. I'd recommend to= =20 play with some additional utilities like lsof. In case of bindshell try to= =20 find processes that was executed from world writable directories such=20 as /tmp. Try to shutdown httpd and other daemons and see if any of them=20 still running.=20 =2D-=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 =2D Best regards, Nikolay Pavlov. <<<----------------------------------- = =20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 --nextPart2161170.EXYidJLSFf Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBHQxLo/2R6KvEYGaIRAgO6AKCdyt/Xb48JwvriybSNgI39ZWkdzgCg6pXz m6qVgmTeYbFrT4eNokrTLmc= =6PRK -----END PGP SIGNATURE----- --nextPart2161170.EXYidJLSFf--