From owner-freebsd-questions  Thu Feb  6 23:23: 0 2003
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3BC5D37B401
	for <freebsd-questions@FreeBSD.ORG>; Thu,  6 Feb 2003 23:22:59 -0800 (PST)
Received: from boris.st.hmc.edu (boris.ST.HMC.Edu [134.173.63.11])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B904943FDF
	for <freebsd-questions@FreeBSD.ORG>; Thu,  6 Feb 2003 23:22:58 -0800 (PST)
	(envelope-from jeff@unixconsults.com)
Received: from boris.st.hmc.edu (localhost.st.hmc.edu [127.0.0.1])
	by boris.st.hmc.edu (8.12.6/8.12.6) with ESMTP id h177MqA1076933;
	Thu, 6 Feb 2003 23:22:52 -0800 (PST)
	(envelope-from jeff@unixconsults.com)
Received: from localhost (jeff@localhost)
	by boris.st.hmc.edu (8.12.6/8.12.6/Submit) with ESMTP id h177MqDc076930;
	Thu, 6 Feb 2003 23:22:52 -0800 (PST)
X-Authentication-Warning: boris.st.hmc.edu: jeff owned process doing -bs
Date: Thu, 6 Feb 2003 23:22:51 -0800 (PST)
From: Jeff Jirsa <jeff@unixconsults.com>
X-X-Sender: jeff@boris.st.hmc.edu
To: "Remington L." <madriax@garlic.com>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: **CHHROOTKIT INFECTED**
In-Reply-To: <000501c2ce72$949e2160$0100a8c0@SHMOOPIE>
Message-ID: <20030206232135.K76913-100000@boris.st.hmc.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Virus-Scanned: by unixconsults.com
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Thu, 6 Feb 2003, Remington L. wrote:

> I'm using 5.0 release
>
> OK I was just going through and I found that chkrootkit found that chfn,
> chsh, date, and ls are infected. I'm not sure if it's lying or not. I
> attempted to fix ls by recompiling from /usr/src/bin/ls and redoing but
> chkrootkit still says infected. That's all the information I can provide
> at this time. Has anyone come across this problem? Any suggestions?
> Could be 5.0 causing this or is there some validity to it?


You're not infected. chkrootkit checks for the presence of "/bin/sh" or
"/bin/csh" in output of `strings <binary>`, and apparently this no longer
works. You'll have to wait for chkrootkit to be updated to support FreeBSD
5.

- Jeff


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message