[Fwd: New FreeBSD release breaks version detection in chkrootkit.]

Artur Pydo artur at pydo.org
Wed Apr 7 17:58:10 PDT 2004


I sent a message to authors of chkrootkit earlier today
because the FreeBSD version detection is broken with the release
of 4.10 and chkrootkit display false positives with 'chfn',
'chsh' and 'date'.

-------- Original Message --------
Subject: New FreeBSD release breaks version detection in chkrootkit.
Date: Thu, 08 Apr 2004 02:48:54 +0200
From: Artur Pydo <artur at pydo.org>
To: nelson at pangeia.com.br
CC: jessen at nic.br


FreeBSD released 4.10 Beta today and this version
number breaks your version detection in chkrootkit
shell script.

Example :

VERSION=`${uname} -r` <= returns 4.10-BETA
if [ "${SYSTEM}" != "FreeBSD" -a ${SYSTEM} != "OpenBSD" ] ; then
    V=`echo $VERSION | cut -d- -f 1 | ${sed} 's/\.//g'` <= returns 410

While detecting FreeBSD 5.0 you look for value greater than 50
and it fails with the current release as its value is 410.

The result of this are false positive on :

Checking `chfn'... INFECTED
Checking `chsh'... INFECTED
Checking `date'... INFECTED


Best regards,

Artur Pydo.

More information about the freebsd-ports mailing list