Re: chkrootkit reporting sshd vulnerable?

Date: 01/03/02

  • Next message: Akop Pogosian: "Re: OpenSSH 2.9p2: ssh-keygen bus errors"

    Date: Thu, 03 Jan 2002 01:03:02 GMT

    Henri Karrenbeld <> wrote:
    > Doctor Zen <> writes:

    >>I was just a little worried about this, I ran chkrootkit in expert mode (ha
    >>ha, me, an expert?, ha ha) and it gave the strings from sshd but after
    >>sifting through hundreds of pages I didn't spot anything untoward, not that
    >>I'd really know what to look for apart from anything obvious like "warez
    >>dude" or something like that...
    >>Might be a bug in chkrootkit or something to worry about?
    > Okay, this is the deal as far as I have figured it out:
    > Some of chkrootkit works by running the 'strings' command on certain programs
    > (e.g. sshd and sshd2) and then 'grep'-ing for various known rootkit string
    > patterns.
    > One of those patterns, being a pre-compiled password in a trojan sshd2 version,
    > is '^1234$' (a line containing 1234 only). No problem here, I guess there might
    > be a trojan out there with that in it.


    Also note the thread titled "understanding chkrootkit: sshd section" in, and comp.unix.admin

    "Anyone with the naivety to run IIS is, IMHO, automatically suspect when it
     comes to doing anything technical, such as setting a clock."

    Relevant Pages

    • Re: Building a function call?
      ... for func in allfunctions: ... unsafe practices can usually be avoided by ... remembering that functions are first class objects just like ints, strings ...
    • Re: script to copy user profile!!
      ... Also, consider using XCopy: ... Specifies a list of files containing strings. ...
    • Re: Boost process and C
      ... snip ... ... of int for sizes, rather than size_t. ... read-only and constant strings and detecting errors efficiently ... Handling an RTF document that you will be writing to a variable length record in a database. ...
    • Re: BWT, tuning for speed
      ... Suppose you have sorted all strings starting with 'a'. ... (Note that sorting on strings strictly is O(M * N log N) ... <END SNIP> ... tandem repeats and embedded tandem repeats with direct comparison ...
    • Re: String Manipulation
      ... This is a simple parser for the strings provided. ... our @vars; ... identifier identifier array(?) ';' { ...