chkrootkit w/ current
cas
xcas at cox.net
Sun Jun 8 06:20:40 PDT 2003
============================================================
From: "Perry S. Glenn" <psglenn at yahoo.com>
Date: 2003/06/08 Sun AM 03:44:35 EDT
To: freebsd-current at freebsd.org
Subject: chkrootkit w/ current
Hello,
I'm running current and I had left forgot to turn the ftp knob in
inetd.conf off. I came back after a drive to find my /var/ filesystem
full. I did not (per sysinstall)have anon ftp on, but someone made
lots of bogus directories in /var/ftp/pub anyway.
I decided to install /ports/security/chkrootkit after a short google.
chkrootkit says it finds 12 processes hidden from ps command and a
possible LKM Trojan installed.
chkroot also calls
ls ps date chsh and chfn
"INFECTED"
Is chkrootkit giving accurate info for FreeBSD-5 ?
Could someone check to see if they get false positives with this script
on current.
TIA
--psglenn
============================================================
yes.. it does give false positives.. I asked the same question about those commands. :-)
More information about the freebsd-current
mailing list