Date: Wed, 14 Apr 2004 14:11:34 -0700 From: Mike <addymin@pacbell.net> To: Jeff Maxwell <max@epix.net>, freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: False positives from chkrootkit? or hacked test server? [SOLVED] Message-ID: <407DA906.4070209@pacbell.net> In-Reply-To: <38D85174-8E4F-11D8-986A-000502716489@epix.net> References: <407D910F.8050507@pacbell.net> <38D85174-8E4F-11D8-986A-000502716489@epix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Jeff Maxwell wrote: > upgrade your ports. The chkrootkit that ships with 4.9 gives false > positives > Jeff: Thanks for the tip. I deinstalled the chkrootkit (v-4.1) that came with 4.9. I then downloaded and installed the most recent version (v-4.3) from the chkrootkit.org site. I re-ran chkrootkit and found NO infected files and NO rootkits. Michael Chinn > > > On Apr 14, 2004, at 3:29 PM, Mike wrote: > >> Greetings: >> >> My test system: >> FreeBSD 4.9-stable >> Pentium III 800 >> >> I read an earlier post about using chkrootkit to check for root kits >> (intrusions). I'm still learning about FreeBSD so I thought I would >> run this too. >> >> Well... I installed and ran chkrootkit. And the output shows that: >> >> Checking `chfn'... INFECTED >> Checking `chsh'... INFECTED >> Checking `date'... INFECTED >> Checking `ls'... INFECTED >> Checking `ps'... INFECTED >> >> No rootkits were found. >> >> This FreeBSD system is a test server running Postfix, Samba, Apache, >> PHP4, MySql, and akpop3. For a firewall I run IPFW. >> >> This computer sits behind a NAT router (linksys BEFSR41). The Linksys >> router forwards a few ports (25, 110, 80) to a different server (a >> Redhat-9 system). However, NO PORTS are forwarded to this FreeBSD system. >> >> My Redhat-9 server that runs Apache, Mysql, php4, and postfix. >> >> Question: Does chkrootkit ever generate false positives? >> >> This system has just few test websites on it (test data) and nothing >> else. But if this system has been compromised, then how? Given that >> any public services (forwarded from the router) coming across ports >> 25, 110, 80, 22 are sent to a different server altogether? >> >> I would appreciate any hints or pointers. Thank you. >> >> Michael Chinn >> >> >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?407DA906.4070209>