Re: chkrootkit V. 0.47



On Tuesday 20 November 2007 16:41:52 JP wrote:
Running freeBSD 6.1

After changing chkrootkit to the latest version V. 0.47 and compiling it
then running it I get the following:

==================<SNIPPIT>================
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 6667)
Checking `lkm'... You have 131 process hidden for readdir command
chkproc: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... vr0 is not promisc
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
==================</SNIPPIT>================

Looking above, the above shows a few anomalies like the bindshell ...
INFECTED (PORTS: 6667)
--and--
Checking `lkm'... You have 131 process hidden for readdir command
chkproc: Warning: Possible LKM Trojan installed

I do run an IRCd, and also YABB Message board along with APACHE web
server - would the above then be normal output, and what about the lkm?
Many thanks to those with more experience in this area.


Such tools is known to trigger false positives sometimes. I'd recommend to
play with some additional utilities like lsof. In case of bindshell try to
find processes that was executed from world writable directories such
as /tmp. Try to shutdown httpd and other daemons and see if any of them
still running.


--
======================================================================
- Best regards, Nikolay Pavlov. <<<-----------------------------------
======================================================================

Attachment: signature.asc
Description: This is a digitally signed message part.