chfn, date, chsh INFECTED according to chkrootkit

Thordur Ivar B. thib at mi.is
Wed Aug 18 07:25:06 PDT 2004


On Wed, 18 Aug 2004 05:11:02 -0700 (PDT)
probsd org <probsdorg at yahoo.com> wrote:
> I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and
> noticed that chfn, date, and chsh showed as being
> infected. I remember reading post from the past that
> right now chkrootkit is giving alot of false
> positives, so I suspected that these 3 binaries are
> not bad.
> 
> However, to be on the safe side, I deleted the 3
> binaries, removed /usr/src and did a 'make world' to
> 4.10-STABLE.
>  
> But, chfn, cfsh, and date are stilling showing as
> infected.
> 
> Is my assumption that I am seeing a false positive
> correct, or anyone know of an exploit that would
> affect these 3 binaries ( and even after a 'make
> world' from clean src )?
> 
> Michael
> 

These are false positives. I had this showing on a box of mine 
(chkrootkit-0.43). And What I did was remove the binarys and resync'ed my source
and did a new build. 

But still, you can only be sure if you trust you CVS checkout. 
I have found it rather annyoing not have'ing checksums of each and every file
in /usr/src. And having a "secure" (man-in-the-middle attack, etc comes in mind)
way of optaining the checksum file.( A good shell script could verify the
checkout and you could sleep easy ;)

Do correct me about the checksums if I'm wrong.

-- 
As far as the laws of mathematics refer to reality, they are not
certain, and as far as they are certain, they do not refer to reality.
                -- Albert Einstein


More information about the freebsd-security mailing list