From owner-freebsd-stable@FreeBSD.ORG  Sat Dec 23 21:26:30 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 457BF16A407
	for <freebsd-stable@freebsd.org>; Sat, 23 Dec 2006 21:26:30 +0000 (UTC)
	(envelope-from matthew.herzog@gmail.com)
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186])
	by mx1.freebsd.org (Postfix) with ESMTP id D77D313C45B
	for <freebsd-stable@freebsd.org>; Sat, 23 Dec 2006 21:26:29 +0000 (UTC)
	(envelope-from matthew.herzog@gmail.com)
Received: by nf-out-0910.google.com with SMTP id x37so3639949nfc
	for <freebsd-stable@freebsd.org>; Sat, 23 Dec 2006 13:26:28 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=nr7fUyoUG25JFOTZCBKkxGGnmRgIG4rAyAou+N06U79+ahVw2+VmGhP2AESWiAvLYJ4iPZLMmlx5nM+hyrySBlKfpjFEuv2ShCOpSydhiA06+1sHnYBrg6bvmoAu4D2RYPMWdpqw7AwusJ+IO6IWYtx6r+xhwbBaqLkloYrh+60=
Received: by 10.82.127.15 with SMTP id z15mr661380buc.1166907455776;
	Sat, 23 Dec 2006 12:57:35 -0800 (PST)
Received: by 10.82.190.9 with HTTP; Sat, 23 Dec 2006 12:57:35 -0800 (PST)
Message-ID: <7cf39bb60612231257p1a8a62c3g43a9da939306a59e@mail.gmail.com>
Date: Sat, 23 Dec 2006 15:57:35 -0500
From: "Matthew Herzog" <matthew.herzog@gmail.com>
To: freebsd-stable@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: chkrootkit finds 94 process hidden for readdir
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Dec 2006 21:26:30 -0000

Hello.

I run FreeBSD 6.1-RELEASE-p7 on an UltraSparc 5 machine.

I ran chkrootkit yesterday and saw this:

Checking `lkm'... You have    94 process hidden for readdir command
chkproc: Warning: Possible LKM Trojan installed

Everything else was deemed clean by chkrootkit.

When I booted into single user mode and ran chkrootkit it said there were
"33 process hidden for readdir command"

The sha256 checksum is slightly different for the /usr/bin/su binary
on the install
media compared to the /usr/bin/su on the running install.

I could find nothing definitive on this subject posted online so . . . .


-- Matt H.