Re: chfn, date, chsh INFECTED according to chkrootkit
From: Tommy K (tommy_at_berlin.homeunix.com)
Date: 08/18/04
- Previous message: Giorgos Keramidas: "Re: chfn, date, chsh INFECTED according to chkrootkit"
- In reply to: probsd org: "chfn, date, chsh INFECTED according to chkrootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 18 Aug 2004 17:56:59 +0200 To: probsd org <probsdorg@yahoo.com>
Hello,
i have written the author of chkrootkit this mail.
Tommy
On Fri, Jul 02, 2004 at 01:20:50PM +0200, Tommy K wrote:
> Hello,
>
> i have tested chkrootkit on many FreeBSD 4.10** maschines and all of
the
> tested machines have the same INFECTED things.
>
> I think that is a bug in chkrootkit
>
> <snip>
Yes, you right.
I will fix it in the next version.
Thanks a lot for you bug report and interest in chkrootkit,
./nelson -murilo
> # chkrootkit
> ROOTDIR is `/'
> Checking `amd'... not infected
> Checking `basename'... not infected
> Checking `biff'... not infected
> Checking `chfn'... INFECTED
> Checking `chsh'... INFECTED
> Checking `cron'... not infected
> Checking `date'... INFECTED
> Checking `du'... not infected
> Checking `dirname'... not infected
> Checking `echo'... not infected
> Checking `egrep'... not infected
> Checking `env'... not infected
> </snip>
>
> Hopefully it could help you!
>
> Regards Tommy
>
> --
> Das B> Key fingerprint = BFED 7E4C 8B67 64C8 B210 89D1 5678 1A02 7354
> DFB5
>
> Thomas Kamann | Auszubildener - Anwendungsentwicklung
On Wed, Aug 18, 2004 at 05:11:02AM -0700, probsd org wrote:
> I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and
> noticed that chfn, date, and chsh showed as being
> infected. I remember reading post from the past that
> right now chkrootkit is giving alot of false
> positives, so I suspected that these 3 binaries are
> not bad.
>
> However, to be on the safe side, I deleted the 3
> binaries, removed /usr/src and did a 'make world' to
> 4.10-STABLE.
>
> But, chfn, cfsh, and date are stilling showing as
> infected.
>
> Is my assumption that I am seeing a false positive
> correct, or anyone know of an exploit that would
> affect these 3 binaries ( and even after a 'make
> world' from clean src )?
>
> Michael
>
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - 100MB free storage!
> http://promotions.yahoo.com/new_mail
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
-- Das Büro am Draht GmbH | Blücherstraße 22 | D-10961 Berlin http://www.dasburo.com | http://tom.dasburo.com Key fingerprint = BFED 7E4C 8B67 64C8 B210 89D1 5678 1A02 7354 DFB5 Thomas Kamann | Auszubildener - Anwendungsentwicklung _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Giorgos Keramidas: "Re: chfn, date, chsh INFECTED according to chkrootkit"
- In reply to: probsd org: "chfn, date, chsh INFECTED according to chkrootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
