From owner-freebsd-questions@FreeBSD.ORG Fri Apr 11 03:41:26 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B30D037B401 for ; Fri, 11 Apr 2003 03:41:26 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 122D543FA3 for ; Fri, 11 Apr 2003 03:41:25 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h3BAfKHF083839 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 11 Apr 2003 11:41:20 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)h3BAfKC2083838 for freebsd-questions@freebsd.org; Fri, 11 Apr 2003 11:41:20 +0100 (BST) Date: Fri, 11 Apr 2003 11:41:20 +0100 From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: <20030411104120.GC82425@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , freebsd-questions@freebsd.org References: <20030411012148.Y20688@man-97-187.ResHall.Berkeley.EDU> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Y5rl02BVI9TCfPar" Content-Disposition: inline In-Reply-To: <20030411012148.Y20688@man-97-187.ResHall.Berkeley.EDU> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-38.8 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT version=2.53 X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) Subject: Re: LKM problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2003 10:41:27 -0000 --Y5rl02BVI9TCfPar Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 11, 2003 at 01:29:17AM -0700, Tak Pui LOU wrote: > Although there is nothing detected in my LKM, I have the same question. I > have the following output: >=20 > Checking `chfn'... INFECTED > Checking `chsh'... INFECTED > Checking `date'... INFECTED > Checking `ls'... INFECTED > Checking `ps'... INFECTED >=20 > What does INFECTED here imply? I just did an cvs to -current src-all and > did a buildworld etc. Are these "INFECTED" programs normal after a > -current buildworld from R5.0? > On Fri, 11 Apr 2003, no name wrote: >=20 > > chkrootkit output follows (stripped out useless stuff): > > > > Checking `chfn'... INFECTED > > Checking `chsh'... INFECTED > > Checking `date'... INFECTED > > Checking `ps'... INFECTED > > Checking `lkm'... You have 2 process hidden for readdir command > > You have 13 process hidden for ps command > > Warning: Possible LKM Trojan installed > > Can anyone please advise ? i wouldn't want to reinstall the system from > > scratch (with all it's requirements that would take about 3-4 days) chkrootkit returns a number of false positives on FreeBSD 5.0 --- see for instance: http://www.freebsd.org/cgi/getmsg.cgi?fetch=3D57132+60203+/usr/local/ww= w/db/text/2003/freebsd-security/20030202.freebsd-security If you check on http://www.chkrootkit.org/ or http://www.chkrootkit.org/README, you will see that FreeBSD 5.0 is not a supported system. Unless there are any other signs of infection chances are that a 5.0 system showing these symptoms is actually clean. It's possible `no name's macine is infected: if it is running an OS version from one of the 4.x or earlier branches, there's cause for concern. In which case I'd back up all of the potentially nasty stuff to a safe place for later analysis, and perform some sort of recovery operation. What and how much you do to recover depends on how crucial this machine is. At a minimum I'd suggest that you run through a standard buildworld, buildkernel process as described in /usr/src/UPDATING with freshly cvsup'd sources. That should overwrite anything compromised in the base system with a clean version. It would probably be a good idea to disconnect from any networks before you start the buildworld etc. and not reconnect until you've updated your system and are sure that it's clean and also go through your system generally tightening up security and closing any holes you may find. Make sure all ports/packages installed are up to date. Monitor the system closely for any more signs of illicit activity over the next few weeks or months. However, if you want to be absolutely certain that your machine is clean, then there is no alternative other than wiping the disk entirely and re-installing from scratch. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --Y5rl02BVI9TCfPar Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD4DBQE+lpvQdtESqEQa7a0RAplMAJiTYlxcqc2fYDOdPoUja+ldMuVSAJ9ocegP IqCXWdZ6IS/YoBpVdDKhsg== =ND4X -----END PGP SIGNATURE----- --Y5rl02BVI9TCfPar--