chkrootkit V. 0.47

[Nikolay Pavlov]

On Tuesday 20 November 2007 16:41:52 JP wrote:
> Running freeBSD 6.1
>
> After changing chkrootkit to the latest version V. 0.47 and compiling it
> then running it I get the following:
>
> ==================<SNIPPIT>================
> Searching for anomalies in shell history files... nothing found
> Checking `asp'... not infected
> Checking `bindshell'... INFECTED (PORTS:  6667)
> Checking `lkm'... You have   131 process hidden for readdir command
> chkproc: Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'... vr0 is not promisc
> Checking `w55808'... not infected
> Checking `wted'... chkwtmp: nothing deleted
> ==================</SNIPPIT>================
>
> Looking above, the above shows a few anomalies like the bindshell ...
> INFECTED (PORTS: 6667)
> --and--
> Checking `lkm'... You have   131 process hidden for readdir command
> chkproc: Warning: Possible LKM Trojan installed
>
> I do run an IRCd, and also YABB Message board along with APACHE web
> server - would the above then be normal output, and what about the lkm?
> Many thanks to those with more experience in this area.
>

Such tools is known to trigger false positives sometimes. I'd recommend to 
play with some additional utilities like lsof. In case of bindshell try to 
find processes that was executed from world writable directories such 
as /tmp. Try to shutdown httpd and other daemons and see if any of them 
still running. 


-- 
======================================================================  
- Best regards, Nikolay Pavlov. <<<-----------------------------------    
======================================================================  

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20071120/dd94b773/attachment.pgp