Date: Sun, 8 Jun 2003 00:44:35 -0700 (PDT) From: "Perry S. Glenn" <psglenn@yahoo.com> To: freebsd-current@freebsd.org Subject: chkrootkit w/ current Message-ID: <20030608074435.26148.qmail@web13606.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hello, I'm running current and I had left forgot to turn the ftp knob in inetd.conf off. I came back after a drive to find my /var/ filesystem full. I did not (per sysinstall)have anon ftp on, but someone made lots of bogus directories in /var/ftp/pub anyway. I decided to install /ports/security/chkrootkit after a short google. chkrootkit says it finds 12 processes hidden from ps command and a possible LKM Trojan installed. chkroot also calls ls ps date chsh and chfn "INFECTED" Is chkrootkit giving accurate info for FreeBSD-5 ? Could someone check to see if they get false positives with this script on current. TIA --psglenn __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030608074435.26148.qmail>