Date: Mon, 25 Aug 2003 08:27:33 +0900 From: horio shoichi <bugsgrief@bugsgrief.net> To: patpro <patpro@patpro.net> Cc: freebsd-security@freebsd.org Subject: Re: weird problem with chkrootkit and checksums Message-ID: <20030824.232734.8f68bd1f152d203f.10.0.3.9@bugsgrief.net> In-Reply-To: <BB6E4FBB.3026%patpro@patpro.net> References: <BB6E4FBB.3026%patpro@patpro.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 24 Aug 2003 11:19:24 +0200 patpro <patpro@patpro.net> wrote: > Hello, > > last night, my chkrootkit crontab returned an alarm message : > > > Checking `lkm'... You have 1 process hidden for readdir command > > You have 2 process hidden for ps command > > Warning: Possible LKM Trojan installed > > Some research on google make me think it's probably a false positive. I > tried few things : > > re-launching chkrootkit : "Checking `lkm'... nothing detected" > re-compiling and launching fresh binary : "Checking `lkm'... nothing > detected" > and comparing some critical binaries with the one compiled at the beginning > of august during a make world : > > $ md5 /usr/obj/usr/src/bin/ls/ls > MD5 (/usr/obj/usr/src/bin/ls/ls) = cd2dcad3cc08b5f5ad05456f016e8099 > $ md5 /bin/ls > MD5 (/bin/ls) = 1808e84cfcbaf71ce1073cc418ff262a > > $ md5 /usr/obj/usr/src/usr.bin/netstat/netstat > MD5 (/usr/obj/usr/src/usr.bin/netstat/netstat) = > 7fbd1e72a5795b038b16ece37df13ee0 > $ md5 /usr/bin/netstat > MD5 (/usr/bin/netstat) = 77bd719216a4bca383333a420b2d9501 > > I feel like there is something wrong here... > I picked up random binaries and compared their checksum with their > /usr/obj/usr/src/ counterpart and every time it does not match. > I tried the same checking on another box running the same version of FreeBSD > and found out the same different checksums : > > $ md5 /usr/obj/usr/src/usr.bin/netstat/netstat > MD5 (/usr/obj/usr/src/usr.bin/netstat/netstat) = > 7fbd1e72a5795b038b16ece37df13ee0 > $ md5 /usr/bin/netstat > MD5 (/usr/bin/netstat) = 77bd719216a4bca383333a420b2d9501 > > So I guess it's a normal behavior. Can someone please explain to me why > original binaries (/usr/obj/usr/src/) don't have the same checksum than > installed binaries ? > > thanks, > > patpro > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > Like this ? % ls -l /bin/ls -r-xr-xr-x 1 root wheel 304840 Aug 6 23:52 /bin/ls* % ls -l /usr/obj/usr/src/bin/ls/ls -rwxr-xr-x 1 root horio 328286 Aug 6 22:40 /usr/obj/usr/src/bin/ls/ls* % file /bin/ls /bin/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), for FreeBSD 4.8, statically linked, stripped % file /usr/obj/usr/src/bin/ls/ls /usr/obj/usr/src/bin/ls/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), for FreeBSD 4.8, statically linked, not stripped horio shoichi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030824.232734.8f68bd1f152d203f.10.0.3.9>