Do I have an infected init file?
Matt Piechota
piechota at argolis.org
Thu May 12 14:00:10 PDT 2005
On Thu, 12 May 2005, DH wrote:
> I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 &
> 0.45 report that my /sbin/init file is infected.
I should mention that 4.10-release is up to p13. You should really think
about patching up to current.
> It appears as though the egrep for "UPX" in the output of "strings"
> triggers the infected notice. When I copy the init file from an
> uninfected box to this one chkrootkit continues to report it as
> infected. Is chkrootkit reading a copy of the /sbin/init file stored in
> active memory? If my machine is compromised, which rootkit is installed
> / how can I find out which rootkit is installed?
The easiest way to figure out if you are rooted is probably to download or
create a clean version of /sbin/init, and compare the two files.
Creating might take some work, you'd have to install a clean 4.10, patch
it to p2, and make world.
--
Matt Piechota
Key Available from pgp.mit.edu
PGP Key fingerprint = FC90 4D65 2F8A 38E9 D1A8 FABB 7AE8 C194 5EC8 9CAD
More information about the freebsd-security
mailing list