Re: chkrootkit reporting sshd vulnerable?

Date: 01/03/02

  • Next message: Akop Pogosian: "Re: OpenSSH 2.9p2: ssh-keygen bus errors"

    Date: Thu, 03 Jan 2002 01:03:02 GMT

    Henri Karrenbeld <> wrote:
    > Doctor Zen <> writes:

    >>I was just a little worried about this, I ran chkrootkit in expert mode (ha
    >>ha, me, an expert?, ha ha) and it gave the strings from sshd but after
    >>sifting through hundreds of pages I didn't spot anything untoward, not that
    >>I'd really know what to look for apart from anything obvious like "warez
    >>dude" or something like that...
    >>Might be a bug in chkrootkit or something to worry about?
    > Okay, this is the deal as far as I have figured it out:
    > Some of chkrootkit works by running the 'strings' command on certain programs
    > (e.g. sshd and sshd2) and then 'grep'-ing for various known rootkit string
    > patterns.
    > One of those patterns, being a pre-compiled password in a trojan sshd2 version,
    > is '^1234$' (a line containing 1234 only). No problem here, I guess there might
    > be a trojan out there with that in it.


    Also note the thread titled "understanding chkrootkit: sshd section" in, and comp.unix.admin

    "Anyone with the naivety to run IIS is, IMHO, automatically suspect when it
     comes to doing anything technical, such as setting a clock."