Date: Fri, 11 Apr 2003 01:29:17 -0700 (PDT) From: Tak Pui LOU <lou@man-97-187.ResHall.Berkeley.EDU> To: no name <securifymybox@hotmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: LKM problem Message-ID: <20030411012148.Y20688@man-97-187.ResHall.Berkeley.EDU> In-Reply-To: <F81bZNK0xGl8WibIP4s0000eaad@hotmail.com> References: <F81bZNK0xGl8WibIP4s0000eaad@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Although there is nothing detected in my LKM, I have the same question. I have the following output: Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED What does INFECTED here imply? I just did an cvs to -current src-all and did a buildworld etc. Are these "INFECTED" programs normal after a -current buildworld from R5.0? --- Takpui On Fri, 11 Apr 2003, no name wrote: > chkrootkit output follows (stripped out useless stuff): > > > > > Checking `chfn'... INFECTED > Checking `chsh'... INFECTED > Checking `date'... INFECTED > Checking `ps'... INFECTED > Checking `lkm'... You have 2 process hidden for readdir command > You have 13 process hidden for ps command > Warning: Possible LKM Trojan installed > Can anyone please advise ? i wouldn't want to reinstall the system from > scratch (with all it's requirements that would take about 3-4 days) > > i tried cvsup src-all and make world but the infected binaries remained > i even tried compiling by hand in /usr/src/bin/ls but the resulted binaries > would still appear infected. Assuming there was something wrong with > chkrootkit i tried checking a ls binary compiled on a similar system and it > found it clean. I couldn't use the 'ps' binary from the remote system > root@box ~/bin# ./ps > ps: proc size mismatch (36936 total, 1060 chunks) > root@box ~/bin# > > If anyone can help i would like to find that rootkit and study it > > Thanx in advance > > > > > > > > > > > _________________________________________________________________ > The new MSN 8: smart spam protection and 2 months FREE* > http://join.msn.com/?page=features/junkmail > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030411012148.Y20688>