Date: Fri, 21 May 2004 22:40:58 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Tom Rhodes <trhodes@FreeBSD.org> Cc: RazorOnFreeBSD <yann.luppo@attglobal.net> Subject: Re: Hacked or not ? Message-ID: <20040521214058.GD89897@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20040521161133.080c23d7@localhost> References: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> <20040521200254.GC89897@happy-idiot-talk.infracaninophile.co.uk> <20040521161133.080c23d7@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
--iVCmgExH7+hIHJ1A
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, May 21, 2004 at 04:11:33PM -0400, Tom Rhodes wrote:
> On Fri, 21 May 2004 21:02:54 +0100
> Matthew Seaman <m.seaman@infracaninophile.co.uk> wrote:
>=20
> > On Fri, May 21, 2004 at 03:52:45PM +0200, RazorOnFreeBSD wrote:
> >=20
> > > I have a 4.9-STABLE FreeBSD box apparently hacked!
> > > Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.=
=20
> > > Those are:
> > > chfn ... INFECTED
> > > chsh ... INFECTED
> > > date ... INFECTED
> > > ls ... INFECTED
> > > ps ... INFECTED
> >=20
> > Sheesh. Not this *again*. This is a false alarm: chkrootkit is
> > exceedingly sensitive to something about the way such programs work
> > under FreeBSD and has to be continually futzed so that it knows not to
> > complain on each successive version of FreeBSD. Comes up in this or
> > other FreeBSD lists just about every week.
> >=20
> > Relax. You're not compromised. You just need better tools.
> >=20
>=20
> I love the "just need better tools." without any recommendation
> for him.
Well, the question was "has my machine been compromised", which I
answered. =20
The current version of chkrootkit in ports (0.43) has a problem
whereby it thinks FreeBSD 4.10 is a higher version than FreeBSD 5.0,
which means that it reports certain programs are infected because they
*don't* fail in the expected way found on 5.0 or above. Here's a
patch:
--- chkrootkit.orig Fri May 21 22:19:16 2004
+++ chkrootkit Fri May 21 22:36:29 2004
@@ -257,7 +257,7 @@
{
prog=3D""
if [ \( "${SYSTEM}" =3D "Linux" -o \( "${SYSTEM}" =3D "FreeBSD" -a \
- ${V} -gt 43 \) \) -a "${ROOTDIR}" =3D "/" ]; then
+ ${V} -gt 403 \) \) -a "${ROOTDIR}" =3D "/" ]; then
[ ! -x /usr/local/sbin/chkproc ] && prog=3D"/usr/local/sbin/chkproc"
[ ! -x /usr/local/sbin/chkdirs ] && prog=3D"$prog /usr/local/sbin/ch=
kdirs"
if [ "$prog" !=3D "" ]; then
@@ -1080,7 +1080,7 @@
STATUS=3D${INFECTED}
fi;;
FreeBSD)
- [ $V -gt 50 ] && n=3D1 || n=3D2
+ [ $V -gt 500 ] && n=3D1 || n=3D2
if [ `${strings} -a ${CMD} | \
${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]
then
@@ -1114,7 +1114,7 @@
fi
fi;;
FreeBSD)
- [ $V -gt 50 ] && n=3D1 || n=3D2
+ [ $V -gt 500 ] && n=3D1 || n=3D2
if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABE=
L}"` -ne $n ]
then
STATUS=3D${INFECTED}
@@ -1145,10 +1145,10 @@
ret=3D`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"`
if [ ${ret} -gt 0 ]; then
case ${ret} in
- 1) [ "${SYSTEM}" =3D "OpenBSD" -a ${V} -le 27 -o ${V} -ge 30 ] && \
+ 1) [ "${SYSTEM}" =3D "OpenBSD" -a ${V} -le 207 -o ${V} -ge 300 ] &=
& \
STATUS=3D${NOT_INFECTED} || STATUS=3D${INFECTED};;
2) [ "${SYSTEM}" =3D "FreeBSD" -o ${SYSTEM} =3D "NetBSD" -o ${SYS=
TEM} =3D \
-"OpenBSD" -a ${V} -ge 28 ] && STATUS=3D${NOT_INFECTED} || STATUS=3D${INFE=
CTED};;
+"OpenBSD" -a ${V} -ge 208 ] && STATUS=3D${NOT_INFECTED} || STATUS=3D${INF=
ECTED};;
=20
*) STATUS=3D${INFECTED};;
esac
@@ -1622,7 +1622,7 @@
expertmode_output "${ls} -l ${CMD}"
return 5
fi
- [ "${SYSTEM}" =3D "FreeBSD" -a $V -gt 50 ] &&
+ [ "${SYSTEM}" =3D "FreeBSD" -a $V -gt 500 ] &&
{
if [ `${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | \
${egrep} -c "$S_L"` -ne 2 ]; then
@@ -2398,9 +2398,9 @@
SYSTEM=3D`${uname} -s`
VERSION=3D`${uname} -r`
if [ "${SYSTEM}" !=3D "FreeBSD" -a ${SYSTEM} !=3D "OpenBSD" ] ; then
- V=3D44
+ V=3D404
else
- V=3D`echo $VERSION | cut -d- -f 1 | ${sed} 's/\.//g'`
+ V=3D$(( `echo $VERSION | cut -d- -f 1 | ${sed} 's/\./ * 100 + /g'` ))
fi
=20
# ps command
Better tools in this case: in this case, I'd say tripwire or one of
the work-alikes. =20
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--iVCmgExH7+hIHJ1A
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFArndqiD657aJF7eIRAiRxAKC1khe6tvA4zXKIK2Weh/TRZevaewCggUvh
2cOfVvjSgzeqZRzp6c07f10=
=6uto
-----END PGP SIGNATURE-----
--iVCmgExH7+hIHJ1A--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040521214058.GD89897>