Re: chfn, date, chsh INFECTED according to chkrootkit

From: Thordur Ivar B. (thib_at_mi.is)
Date: 08/18/04

Next message: probsd org: "(no subject)"

Previous message: probsd org: "chfn, date, chsh INFECTED according to chkrootkit"
In reply to: probsd org: "chfn, date, chsh INFECTED according to chkrootkit"
Next in thread: Nicolas Rachinsky: "Re: chfn, date, chsh INFECTED according to chkrootkit"
Reply: Nicolas Rachinsky: "Re: chfn, date, chsh INFECTED according to chkrootkit"
Reply: Giorgos Keramidas: "Re: chfn, date, chsh INFECTED according to chkrootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 18 Aug 2004 14:25:11 +0000
To: freebsd-security@freebsd.org

On Wed, 18 Aug 2004 05:11:02 -0700 (PDT)
probsd org <probsdorg@yahoo.com> wrote:
> I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and
> noticed that chfn, date, and chsh showed as being
> infected. I remember reading post from the past that
> right now chkrootkit is giving alot of false
> positives, so I suspected that these 3 binaries are
> not bad.
>
> However, to be on the safe side, I deleted the 3
> binaries, removed /usr/src and did a 'make world' to
> 4.10-STABLE.
>
> But, chfn, cfsh, and date are stilling showing as
> infected.
>
> Is my assumption that I am seeing a false positive
> correct, or anyone know of an exploit that would
> affect these 3 binaries ( and even after a 'make
> world' from clean src )?
>
> Michael
>

These are false positives. I had this showing on a box of mine
(chkrootkit-0.43). And What I did was remove the binarys and resync'ed my source
and did a new build.

But still, you can only be sure if you trust you CVS checkout.
I have found it rather annyoing not have'ing checksums of each and every file
in /usr/src. And having a "secure" (man-in-the-middle attack, etc comes in mind)
way of optaining the checksum file.( A good shell script could verify the
checkout and you could sleep easy ;)

Do correct me about the checksums if I'm wrong.

-- 
As far as the laws of mathematics refer to reality, they are not
certain, and as far as they are certain, they do not refer to reality.
                -- Albert Einstein
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Next message: probsd org: "(no subject)"

Previous message: probsd org: "chfn, date, chsh INFECTED according to chkrootkit"
In reply to: probsd org: "chfn, date, chsh INFECTED according to chkrootkit"
Next in thread: Nicolas Rachinsky: "Re: chfn, date, chsh INFECTED according to chkrootkit"
Reply: Nicolas Rachinsky: "Re: chfn, date, chsh INFECTED according to chkrootkit"
Reply: Giorgos Keramidas: "Re: chfn, date, chsh INFECTED according to chkrootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]