Date: Fri, 11 Apr 2003 11:41:20 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: LKM problem Message-ID: <20030411104120.GC82425@happy-idiot-talk.infracaninophi> In-Reply-To: <20030411012148.Y20688@man-97-187.ResHall.Berkeley.EDU> References: <F81bZNK0xGl8WibIP4s0000eaad@hotmail.com> <20030411012148.Y20688@man-97-187.ResHall.Berkeley.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
--Y5rl02BVI9TCfPar
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Apr 11, 2003 at 01:29:17AM -0700, Tak Pui LOU wrote:
> Although there is nothing detected in my LKM, I have the same question. I
> have the following output:
>=20
> Checking `chfn'... INFECTED
> Checking `chsh'... INFECTED
> Checking `date'... INFECTED
> Checking `ls'... INFECTED
> Checking `ps'... INFECTED
>=20
> What does INFECTED here imply? I just did an cvs to -current src-all and
> did a buildworld etc. Are these "INFECTED" programs normal after a
> -current buildworld from R5.0?
> On Fri, 11 Apr 2003, no name wrote:
>=20
> > chkrootkit output follows (stripped out useless stuff):
> >
> > Checking `chfn'... INFECTED
> > Checking `chsh'... INFECTED
> > Checking `date'... INFECTED
> > Checking `ps'... INFECTED
> > Checking `lkm'... You have 2 process hidden for readdir command
> > You have 13 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> > Can anyone please advise ? i wouldn't want to reinstall the system from
> > scratch (with all it's requirements that would take about 3-4 days)
chkrootkit returns a number of false positives on FreeBSD 5.0 --- see
for instance:
http://www.freebsd.org/cgi/getmsg.cgi?fetch=3D57132+60203+/usr/local/ww=
w/db/text/2003/freebsd-security/20030202.freebsd-security
If you check on http://www.chkrootkit.org/ or
http://www.chkrootkit.org/README, you will see that FreeBSD 5.0 is not
a supported system. Unless there are any other signs of infection
chances are that a 5.0 system showing these symptoms is actually
clean.
It's possible `no name's macine is infected: if it is running an OS
version from one of the 4.x or earlier branches, there's cause for
concern. In which case I'd back up all of the potentially nasty stuff
to a safe place for later analysis, and perform some sort of recovery
operation.
What and how much you do to recover depends on how crucial this
machine is. At a minimum I'd suggest that you run through a standard
buildworld, buildkernel process as described in /usr/src/UPDATING with
freshly cvsup'd sources. That should overwrite anything compromised
in the base system with a clean version. It would probably be a good
idea to disconnect from any networks before you start the buildworld
etc. and not reconnect until you've updated your system and are sure
that it's clean and also go through your system generally tightening
up security and closing any holes you may find. Make sure all
ports/packages installed are up to date. Monitor the system closely
for any more signs of illicit activity over the next few weeks or
months. However, if you want to be absolutely certain that your
machine is clean, then there is no alternative other than wiping the
disk entirely and re-installing from scratch.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--Y5rl02BVI9TCfPar
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD4DBQE+lpvQdtESqEQa7a0RAplMAJiTYlxcqc2fYDOdPoUja+ldMuVSAJ9ocegP
IqCXWdZ6IS/YoBpVdDKhsg==
=ND4X
-----END PGP SIGNATURE-----
--Y5rl02BVI9TCfPar--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030411104120.GC82425>