Re: chkrootkit reporting sshd vulnerable?

From: nickd@nospam.demon.co.uk
Date: 01/03/02

  • Next message: Akop Pogosian: "Re: OpenSSH 2.9p2: ssh-keygen bus errors"

    From: nickd@nospam.demon.co.uk
    Date: Thu, 03 Jan 2002 01:03:02 GMT
    
    

    Henri Karrenbeld <ishtar@cal044202.student.utwente.nl> wrote:
    > Doctor Zen <hidden@from.spammers.net> writes:
    >
    <snip>

    >>I was just a little worried about this, I ran chkrootkit in expert mode (ha
    >>ha, me, an expert?, ha ha) and it gave the strings from sshd but after
    >>sifting through hundreds of pages I didn't spot anything untoward, not that
    >>I'd really know what to look for apart from anything obvious like "warez
    >>dude" or something like that...
    >
    >>Might be a bug in chkrootkit or something to worry about?
    >
    > Okay, this is the deal as far as I have figured it out:
    >
    > Some of chkrootkit works by running the 'strings' command on certain programs
    > (e.g. sshd and sshd2) and then 'grep'-ing for various known rootkit string
    > patterns.
    >
    > One of those patterns, being a pre-compiled password in a trojan sshd2 version,
    > is '^1234$' (a line containing 1234 only). No problem here, I guess there might
    > be a trojan out there with that in it.

    <snip>

    Also note the thread titled "understanding chkrootkit: sshd section" in
    comp.os.linux.security, comp.security.unix and comp.unix.admin

    -- 
    "Anyone with the naivety to run IIS is, IMHO, automatically suspect when it
     comes to doing anything technical, such as setting a clock."
    



    Relevant Pages

    • Re: Building a function call?
      ... for func in allfunctions: ... unsafe practices can usually be avoided by ... remembering that functions are first class objects just like ints, strings ...
      (comp.lang.python)
    • Re: script to copy user profile!!
      ... Also, consider using XCopy: ... Specifies a list of files containing strings. ...
      (microsoft.public.windows.server.scripting)
    • Re: Boost process and C
      ... snip ... ... of int for sizes, rather than size_t. ... read-only and constant strings and detecting errors efficiently ... Handling an RTF document that you will be writing to a variable length record in a database. ...
      (comp.lang.c)
    • Re: BWT, tuning for speed
      ... Suppose you have sorted all strings starting with 'a'. ... (Note that sorting on strings strictly is O(M * N log N) ... <END SNIP> ... tandem repeats and embedded tandem repeats with direct comparison ...
      (comp.compression)
    • Re: String Manipulation
      ... This is a simple parser for the strings provided. ... our @vars; ... identifier identifier array(?) ';' { ...
      (perl.beginners)