From owner-freebsd-security@FreeBSD.ORG Thu Sep 11 01:49:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05BFE16A4BF for ; Thu, 11 Sep 2003 01:49:58 -0700 (PDT) Received: from techno.sub.ru (webmail.sub.ru [213.247.139.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 96C9843FDD for ; Thu, 11 Sep 2003 01:49:56 -0700 (PDT) (envelope-from tarkhil@webmail.sub.ru) Received: (qmail 18236 invoked by uid 0); 11 Sep 2003 08:49:49 -0000 Received: from unknown (HELO tarkhil.over.ru) (213.148.23.65) by webmail.sub.ru with SMTP; 11 Sep 2003 08:49:49 -0000 Date: Thu, 11 Sep 2003 12:50:02 +0400 From: Alex Povolotsky To: freebsd-security@freebsd.org Message-Id: <20030911125002.5f643aaf.tarkhil@webmail.sub.ru> In-Reply-To: <20030911105744.240e66be.tarkhil@webmail.sub.ru> References: <20030911105744.240e66be.tarkhil@webmail.sub.ru> Organization: sub.ru X-Mailer: Sylpheed version 0.9.3claws (GTK+ 1.2.10; i386-portbld-freebsd4.6) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: chkrotkit 4.1 and FreeBSD 4.5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2003 08:49:58 -0000 On Thu, 11 Sep 2003 10:57:44 +0400 Alex Povolotsky wrote: AP> Hello! AP> AP> I've found that on two FreeBSD 4.5-RELEASE boxes chkrootkit finds: AP> AP> Checking `chfn'... INFECTED AP> Checking `chsh'... INFECTED AP> Checking `date'... INFECTED AP> Checking `ls'... INFECTED AP> Checking `ps'... INFECTED AP> AP> recompiling, say, ls from souces didn't help. False positive or AP> source changed as well? False positive. chkrootkit for some reason I could not understand thinks that 4.5-RELEASE is 5.* -- Alex.