From owner-freebsd-questions Wed Oct 9 9:36:40 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E108337B401; Wed, 9 Oct 2002 09:36:38 -0700 (PDT) Received: from aji.wilshire.net (worm.wilshire.net [64.161.77.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E19F43E7B; Wed, 9 Oct 2002 09:36:37 -0700 (PDT) (envelope-from rileyjmc@pacbell.net) Received: from emilyd (emilyd.wilshire.net [10.100.123.20]) by aji.wilshire.net (8.12.3/8.12.3) with SMTP id g99GZFDk021451; Wed, 9 Oct 2002 09:35:16 -0700 (PDT) (envelope-from rileyjmc@pacbell.net) From: "Riley" To: "Mike Hoskins" , "Anthony Schneider" Cc: "FreeBSD Security" , "FreeBSD Questions" Subject: RE: chkrootkit help Date: Wed, 9 Oct 2002 09:36:25 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 In-Reply-To: <20021007141041.S84008-100000@fubar.adept.org> Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Greetings, I'd like to thank all who replied, the advice and suggestions were valuable and appreciated, not to mention timely! It looks like it was a false positive. I ran netstat from cd, new chkrootkit compiled on a clean machine, and nmap remotely. It also made sense to mount / (-ro) from a clean machine and do a diff -r /bin /mnt/bin. There doesn't seem to be a security breach. I'll rebuild the machine anyway soon. There's a know issue with chkrootkit reporting false positives running programs that use bindshell's ports. Although these aren't running on this machine (an _up-to-date_ DNS/mail server), it was in an unstable state for known reasons. An nmap from a remote machine of the entire network directed at the firewall showed nothing abnormal. I'm going to rebuild it anyway, but wanted to followup. Also, if the above is misguided, please advise! Again, thanks, Riley > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Mike Hoskins > Sent: Monday, October 07, 2002 2:11 PM > To: Anthony Schneider > Cc: Riley; FreeBSD Security > Subject: Re: chkrootkit help > > > On Mon, 7 Oct 2002, Anthony Schneider wrote: > > > You could try using a trusted sockstat binary to verify > what's listening > > > on the local system. > > > % sockstat -4l > > quick aside: sockstat is a perl script, unless this changed with > > 4.6.2. > > Eww, I hadn't noticed. Good point, stick to a safe netsat from cdrom, > etc. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message