Date: Wed, 18 Aug 2004 14:25:11 +0000 From: "Thordur Ivar B." <thib@mi.is> To: freebsd-security@freebsd.org Subject: Re: chfn, date, chsh INFECTED according to chkrootkit Message-ID: <20040818142511.390043af.thib@mi.is> In-Reply-To: <20040818121102.95460.qmail@web52402.mail.yahoo.com> References: <20040818121102.95460.qmail@web52402.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 18 Aug 2004 05:11:02 -0700 (PDT) probsd org <probsdorg@yahoo.com> wrote: > I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and > noticed that chfn, date, and chsh showed as being > infected. I remember reading post from the past that > right now chkrootkit is giving alot of false > positives, so I suspected that these 3 binaries are > not bad. > > However, to be on the safe side, I deleted the 3 > binaries, removed /usr/src and did a 'make world' to > 4.10-STABLE. > > But, chfn, cfsh, and date are stilling showing as > infected. > > Is my assumption that I am seeing a false positive > correct, or anyone know of an exploit that would > affect these 3 binaries ( and even after a 'make > world' from clean src )? > > Michael > These are false positives. I had this showing on a box of mine (chkrootkit-0.43). And What I did was remove the binarys and resync'ed my source and did a new build. But still, you can only be sure if you trust you CVS checkout. I have found it rather annyoing not have'ing checksums of each and every file in /usr/src. And having a "secure" (man-in-the-middle attack, etc comes in mind) way of optaining the checksum file.( A good shell script could verify the checkout and you could sleep easy ;) Do correct me about the checksums if I'm wrong. -- As far as the laws of mathematics refer to reality, they are not certain, and as far as they are certain, they do not refer to reality. -- Albert Einstein
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040818142511.390043af.thib>