Date: Fri, 21 May 2004 22:40:58 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Tom Rhodes <trhodes@FreeBSD.org> Cc: RazorOnFreeBSD <yann.luppo@attglobal.net> Subject: Re: Hacked or not ? Message-ID: <20040521214058.GD89897@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20040521161133.080c23d7@localhost> References: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> <20040521200254.GC89897@happy-idiot-talk.infracaninophile.co.uk> <20040521161133.080c23d7@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
--iVCmgExH7+hIHJ1A Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 21, 2004 at 04:11:33PM -0400, Tom Rhodes wrote: > On Fri, 21 May 2004 21:02:54 +0100 > Matthew Seaman <m.seaman@infracaninophile.co.uk> wrote: >=20 > > On Fri, May 21, 2004 at 03:52:45PM +0200, RazorOnFreeBSD wrote: > >=20 > > > I have a 4.9-STABLE FreeBSD box apparently hacked! > > > Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.= =20 > > > Those are: > > > chfn ... INFECTED > > > chsh ... INFECTED > > > date ... INFECTED > > > ls ... INFECTED > > > ps ... INFECTED > >=20 > > Sheesh. Not this *again*. This is a false alarm: chkrootkit is > > exceedingly sensitive to something about the way such programs work > > under FreeBSD and has to be continually futzed so that it knows not to > > complain on each successive version of FreeBSD. Comes up in this or > > other FreeBSD lists just about every week. > >=20 > > Relax. You're not compromised. You just need better tools. > >=20 >=20 > I love the "just need better tools." without any recommendation > for him. Well, the question was "has my machine been compromised", which I answered. =20 The current version of chkrootkit in ports (0.43) has a problem whereby it thinks FreeBSD 4.10 is a higher version than FreeBSD 5.0, which means that it reports certain programs are infected because they *don't* fail in the expected way found on 5.0 or above. Here's a patch: --- chkrootkit.orig Fri May 21 22:19:16 2004 +++ chkrootkit Fri May 21 22:36:29 2004 @@ -257,7 +257,7 @@ { prog=3D"" if [ \( "${SYSTEM}" =3D "Linux" -o \( "${SYSTEM}" =3D "FreeBSD" -a \ - ${V} -gt 43 \) \) -a "${ROOTDIR}" =3D "/" ]; then + ${V} -gt 403 \) \) -a "${ROOTDIR}" =3D "/" ]; then [ ! -x /usr/local/sbin/chkproc ] && prog=3D"/usr/local/sbin/chkproc" [ ! -x /usr/local/sbin/chkdirs ] && prog=3D"$prog /usr/local/sbin/ch= kdirs" if [ "$prog" !=3D "" ]; then @@ -1080,7 +1080,7 @@ STATUS=3D${INFECTED} fi;; FreeBSD) - [ $V -gt 50 ] && n=3D1 || n=3D2 + [ $V -gt 500 ] && n=3D1 || n=3D2 if [ `${strings} -a ${CMD} | \ ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ] then @@ -1114,7 +1114,7 @@ fi fi;; FreeBSD) - [ $V -gt 50 ] && n=3D1 || n=3D2 + [ $V -gt 500 ] && n=3D1 || n=3D2 if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABE= L}"` -ne $n ] then STATUS=3D${INFECTED} @@ -1145,10 +1145,10 @@ ret=3D`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"` if [ ${ret} -gt 0 ]; then case ${ret} in - 1) [ "${SYSTEM}" =3D "OpenBSD" -a ${V} -le 27 -o ${V} -ge 30 ] && \ + 1) [ "${SYSTEM}" =3D "OpenBSD" -a ${V} -le 207 -o ${V} -ge 300 ] &= & \ STATUS=3D${NOT_INFECTED} || STATUS=3D${INFECTED};; 2) [ "${SYSTEM}" =3D "FreeBSD" -o ${SYSTEM} =3D "NetBSD" -o ${SYS= TEM} =3D \ -"OpenBSD" -a ${V} -ge 28 ] && STATUS=3D${NOT_INFECTED} || STATUS=3D${INFE= CTED};; +"OpenBSD" -a ${V} -ge 208 ] && STATUS=3D${NOT_INFECTED} || STATUS=3D${INF= ECTED};; =20 *) STATUS=3D${INFECTED};; esac @@ -1622,7 +1622,7 @@ expertmode_output "${ls} -l ${CMD}" return 5 fi - [ "${SYSTEM}" =3D "FreeBSD" -a $V -gt 50 ] && + [ "${SYSTEM}" =3D "FreeBSD" -a $V -gt 500 ] && { if [ `${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | \ ${egrep} -c "$S_L"` -ne 2 ]; then @@ -2398,9 +2398,9 @@ SYSTEM=3D`${uname} -s` VERSION=3D`${uname} -r` if [ "${SYSTEM}" !=3D "FreeBSD" -a ${SYSTEM} !=3D "OpenBSD" ] ; then - V=3D44 + V=3D404 else - V=3D`echo $VERSION | cut -d- -f 1 | ${sed} 's/\.//g'` + V=3D$(( `echo $VERSION | cut -d- -f 1 | ${sed} 's/\./ * 100 + /g'` )) fi =20 # ps command Better tools in this case: in this case, I'd say tripwire or one of the work-alikes. =20 Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --iVCmgExH7+hIHJ1A Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFArndqiD657aJF7eIRAiRxAKC1khe6tvA4zXKIK2Weh/TRZevaewCggUvh 2cOfVvjSgzeqZRzp6c07f10= =6uto -----END PGP SIGNATURE----- --iVCmgExH7+hIHJ1A--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040521214058.GD89897>