Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 20 May 2003 17:06:30 -0300 (ART)
From:      Fernando Gleiser <fgleiser@cactus.fi.uba.ar>
To:        Guy Van Sanden <n.b@myrealbox.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: HELP - Rootkit
Message-ID:  <20030520170358.S22927-100000@cactus.fi.uba.ar>
In-Reply-To: <1053458317.2956.191.camel@cronos.home.vsb>

next in thread | previous in thread | raw e-mail | index | archive | help
On 20 May 2003, Guy Van Sanden wrote:

> I found some strange files in /stand namely -sh and [

They are perfectly normal. Don't worry about them.

> This got me somewhat suspicious, so I installed chkrootkit.
>
> It says:
> Checking `chfn'... INFECTED
> Checking `chsh'... INFECTED
> Checking `cron'... not infected
> Checking `date'... INFECTED
> Checking `ls'... INFECTED
> Checking `ps'... INFECTED
> Checking `lkm'... You have     9 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> Does this mean I got hacked?

Is it a 5.0 system? chkrootkit gives false positives in 5.0


			Fer



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030520170358.S22927-100000>