Date: Thu, 15 Apr 2004 08:29:17 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Mike <addymin@pacbell.net> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: False positives from chkrootkit? or hacked test server? Message-ID: <20040415072917.GC40193@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <407D910F.8050507@pacbell.net> References: <407D910F.8050507@pacbell.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--2JFBq9zoW8cOFH7v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 14, 2004 at 12:29:19PM -0700, Mike wrote: > Well... I installed and ran chkrootkit. And the output shows that: >=20 > Checking `chfn'... INFECTED > Checking `chsh'... INFECTED > Checking `date'... INFECTED > Checking `ls'... INFECTED > Checking `ps'... INFECTED >=20 > No rootkits were found. > Question: Does chkrootkit ever generate false positives? In a word: yes. This was something that was quite a popular question on this list some months back around the time of one of the earlier 5.x releases. I don't remember anyone mentioning this in the context of 4.9 or earlier systems, but that could just be my memory failing. http://lists.freebsd.org/pipermail/freebsd-security/2003-August/000755.h= tml For the rest of the traffic look at: http://www.google.co.uk/search?hl=3Den&ie=3DUTF-8&oe=3DUTF-8&safe=3Doff&= q=3Dsite%3Alists.freebsd.org+chkrootkit+chfn+INFECTED&btnG=3DSearch&meta=3D (Nb. chkrootkit has since been fixed to work correctly under 5.x) However see this: http://lists.freebsd.org/pipermail/freebsd-ports/2004-April/011362.html Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --2JFBq9zoW8cOFH7v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAfjnNdtESqEQa7a0RAr60AJ9z4BSjJofhO46yJPfXIAskVng7swCgktFE KaXumM6+iReS/KJlyzaaGiE= =lNTI -----END PGP SIGNATURE----- --2JFBq9zoW8cOFH7v--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040415072917.GC40193>