weird problem with chkrootkit and checksums
patpro
patpro at patpro.net
Sun Aug 24 02:19:26 PDT 2003
Hello,
last night, my chkrootkit crontab returned an alarm message :
> Checking `lkm'... You have 1 process hidden for readdir command
> You have 2 process hidden for ps command
> Warning: Possible LKM Trojan installed
Some research on google make me think it's probably a false positive. I
tried few things :
re-launching chkrootkit : "Checking `lkm'... nothing detected"
re-compiling and launching fresh binary : "Checking `lkm'... nothing
detected"
and comparing some critical binaries with the one compiled at the beginning
of august during a make world :
$ md5 /usr/obj/usr/src/bin/ls/ls
MD5 (/usr/obj/usr/src/bin/ls/ls) = cd2dcad3cc08b5f5ad05456f016e8099
$ md5 /bin/ls
MD5 (/bin/ls) = 1808e84cfcbaf71ce1073cc418ff262a
$ md5 /usr/obj/usr/src/usr.bin/netstat/netstat
MD5 (/usr/obj/usr/src/usr.bin/netstat/netstat) =
7fbd1e72a5795b038b16ece37df13ee0
$ md5 /usr/bin/netstat
MD5 (/usr/bin/netstat) = 77bd719216a4bca383333a420b2d9501
I feel like there is something wrong here...
I picked up random binaries and compared their checksum with their
/usr/obj/usr/src/ counterpart and every time it does not match.
I tried the same checking on another box running the same version of FreeBSD
and found out the same different checksums :
$ md5 /usr/obj/usr/src/usr.bin/netstat/netstat
MD5 (/usr/obj/usr/src/usr.bin/netstat/netstat) =
7fbd1e72a5795b038b16ece37df13ee0
$ md5 /usr/bin/netstat
MD5 (/usr/bin/netstat) = 77bd719216a4bca383333a420b2d9501
So I guess it's a normal behavior. Can someone please explain to me why
original binaries (/usr/obj/usr/src/) don't have the same checksum than
installed binaries ?
thanks,
patpro
More information about the freebsd-security
mailing list