Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 15 Apr 2004 08:29:17 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Mike <addymin@pacbell.net>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: False positives from chkrootkit? or hacked test server?
Message-ID:  <20040415072917.GC40193@happy-idiot-talk.infracaninophile.co.uk>
In-Reply-To: <407D910F.8050507@pacbell.net>
References:  <407D910F.8050507@pacbell.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

--2JFBq9zoW8cOFH7v
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Apr 14, 2004 at 12:29:19PM -0700, Mike wrote:

> Well... I installed and ran chkrootkit. And the output shows that:
>=20
> Checking `chfn'... INFECTED
> Checking `chsh'... INFECTED
> Checking `date'... INFECTED
> Checking `ls'... INFECTED
> Checking `ps'... INFECTED
>=20
> No rootkits were found.

> Question: Does chkrootkit ever generate false positives?

In a word: yes.  This was something that was quite a popular question
on this list some months back around the time of one of the earlier
5.x releases.  I don't remember anyone mentioning this in the context
of 4.9 or earlier systems, but that could just be my memory failing.

   http://lists.freebsd.org/pipermail/freebsd-security/2003-August/000755.h=
tml

For the rest of the traffic look at:

   http://www.google.co.uk/search?hl=3Den&ie=3DUTF-8&oe=3DUTF-8&safe=3Doff&=
q=3Dsite%3Alists.freebsd.org+chkrootkit+chfn+INFECTED&btnG=3DSearch&meta=3D

(Nb. chkrootkit has since been fixed to work correctly under 5.x)

However see this:

    http://lists.freebsd.org/pipermail/freebsd-ports/2004-April/011362.html

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--2JFBq9zoW8cOFH7v
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAfjnNdtESqEQa7a0RAr60AJ9z4BSjJofhO46yJPfXIAskVng7swCgktFE
KaXumM6+iReS/KJlyzaaGiE=
=lNTI
-----END PGP SIGNATURE-----

--2JFBq9zoW8cOFH7v--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040415072917.GC40193>