Re: weird problem with chkrootkit and checksums

From: horio shoichi (bugsgrief_at_bugsgrief.net)
Date: 08/25/03

  • Next message: Jacques A. Vidrine: "NOTE regarding sendmail DNS map issue" 
    Date: Mon, 25 Aug 2003 08:27:33 +0900
To: patpro <patpro@patpro.net>

    On Sun, 24 Aug 2003 11:19:24 +0200
    patpro <patpro@patpro.net> wrote:
    > Hello,
    >
    > last night, my chkrootkit crontab returned an alarm message :
    >
    > > Checking `lkm'... You have 1 process hidden for readdir command
    > > You have 2 process hidden for ps command
    > > Warning: Possible LKM Trojan installed
    >
    > Some research on google make me think it's probably a false positive. I
    > tried few things :
    >
    > re-launching chkrootkit : "Checking `lkm'... nothing detected"
    > re-compiling and launching fresh binary : "Checking `lkm'... nothing
    > detected"
    > and comparing some critical binaries with the one compiled at the beginning
    > of august during a make world :
    >
    > $ md5 /usr/obj/usr/src/bin/ls/ls
    > MD5 (/usr/obj/usr/src/bin/ls/ls) = cd2dcad3cc08b5f5ad05456f016e8099
    > $ md5 /bin/ls
    > MD5 (/bin/ls) = 1808e84cfcbaf71ce1073cc418ff262a
    >
    > $ md5 /usr/obj/usr/src/usr.bin/netstat/netstat
    > MD5 (/usr/obj/usr/src/usr.bin/netstat/netstat) =
    > 7fbd1e72a5795b038b16ece37df13ee0
    > $ md5 /usr/bin/netstat
    > MD5 (/usr/bin/netstat) = 77bd719216a4bca383333a420b2d9501
    >
    > I feel like there is something wrong here...
    > I picked up random binaries and compared their checksum with their
    > /usr/obj/usr/src/ counterpart and every time it does not match.
    > I tried the same checking on another box running the same version of FreeBSD
    > and found out the same different checksums :
    >
    > $ md5 /usr/obj/usr/src/usr.bin/netstat/netstat
    > MD5 (/usr/obj/usr/src/usr.bin/netstat/netstat) =
    > 7fbd1e72a5795b038b16ece37df13ee0
    > $ md5 /usr/bin/netstat
    > MD5 (/usr/bin/netstat) = 77bd719216a4bca383333a420b2d9501
    >
    > So I guess it's a normal behavior. Can someone please explain to me why
    > original binaries (/usr/obj/usr/src/) don't have the same checksum than
    > installed binaries ?
    >
    > thanks,
    >
    > patpro
    >
    > _______________________________________________
    > freebsd-security@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    >

    Like this ?

    % ls -l /bin/ls
    -r-xr-xr-x 1 root wheel 304840 Aug 6 23:52 /bin/ls*
    % ls -l /usr/obj/usr/src/bin/ls/ls
    -rwxr-xr-x 1 root horio 328286 Aug 6 22:40 /usr/obj/usr/src/bin/ls/ls*
    % file /bin/ls
    /bin/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), for FreeBSD 4.8, statically linked, stripped
    % file /usr/obj/usr/src/bin/ls/ls
    /usr/obj/usr/src/bin/ls/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), for FreeBSD 4.8, statically linked, not stripped

    horio shoichi

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Jacques A. Vidrine: "NOTE regarding sendmail DNS map issue"