Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 9 Oct 2002 09:36:25 -0700
From:      "Riley" <rileyjmc@pacbell.net>
To:        "Mike Hoskins" <mike@adept.org>, "Anthony Schneider" <anthony@x-anthony.com>
Cc:        "FreeBSD Security" <freebsd-security@FreeBSD.ORG>, "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG>
Subject:   RE: chkrootkit help
Message-ID:  <HEEELMCBPANKADCOBOFPAELAHAAA.rileyjmc@pacbell.net>
In-Reply-To: <20021007141041.S84008-100000@fubar.adept.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Greetings,

I'd like to thank all who replied, the advice and suggestions were valuable
and appreciated, not to mention timely!

It looks like it was a false positive.  I ran netstat from cd, new
chkrootkit compiled on a clean machine, and nmap remotely.  It also made
sense to mount / (-ro) from a clean machine and do a diff -r /bin /mnt/bin.
There doesn't seem to be a security breach.  I'll rebuild the machine anyway
soon.

There's a know issue with chkrootkit reporting false positives running
programs that use bindshell's ports.  Although these aren't running on this
machine (an _up-to-date_ DNS/mail server), it was in an unstable state for
known reasons.  An nmap from a remote machine of the entire network directed
at the firewall showed nothing abnormal.

I'm going to rebuild it anyway, but wanted to followup.  Also, if the above
is misguided, please advise!

Again, thanks,

Riley


> -----Original Message-----
> From: owner-freebsd-security@FreeBSD.ORG
> [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Mike Hoskins
> Sent: Monday, October 07, 2002 2:11 PM
> To: Anthony Schneider
> Cc: Riley; FreeBSD Security
> Subject: Re: chkrootkit help
>
>
> On Mon, 7 Oct 2002, Anthony Schneider wrote:
> > > You could try using a trusted sockstat binary to verify
> what's listening
> > > on the local system.
> > > % sockstat -4l
> > quick aside: sockstat is a perl script, unless this changed with
> > 4.6.2.
>
> Eww, I hadn't noticed.  Good point, stick to a safe netsat from cdrom,
> etc.
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?HEEELMCBPANKADCOBOFPAELAHAAA.rileyjmc>