Re: chkrootkit & FBSD-5
From: Brooks Davis (brooks@one-eyed-alien.net)
Date: 01/28/03
- Next message: Eric L Howard: "Re: chkrootkit & FBSD-5"
- Previous message: Eric Anderson: "Re: The way forward......."
- In reply to: Sascha Luck: "chkrootkit & FBSD-5"
- Next in thread: Eric L Howard: "Re: chkrootkit & FBSD-5"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Jan 2003 08:36:45 -0800 From: Brooks Davis <brooks@one-eyed-alien.net> To: Sascha Luck <bofh@online.ie>
On Tue, Jan 28, 2003 at 03:16:07PM +0000, Sascha Luck wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello all,
>
> on my CURRENT boxes, chkrootkit (v0.38) reports the following binaries
> as INFECTED:
>
> chfn
> chsh
> date
> ls
> ps
>
> as well as 7 hidden PIDs.
>
> recompiling/reinstalling the binaries seems to have no effect. I'm
> tempted to regard these as false positives - anyone else notice this
> behaviour?
Someone else mentioned it to me. They now contain the string "/bin/sh"
which chkrootkit looks for. I'd be curious to know why they do.
-- Brooks
-- Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- application/pgp-signature attachment: stored
- Next message: Eric L Howard: "Re: chkrootkit & FBSD-5"
- Previous message: Eric Anderson: "Re: The way forward......."
- In reply to: Sascha Luck: "chkrootkit & FBSD-5"
- Next in thread: Eric L Howard: "Re: chkrootkit & FBSD-5"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
