FreeBSD-chkrootkit-concerns

email tony at armstrong.org.uk
Sun Apr 27 04:09:17 PDT 2003 

hello, 
   I am new to BSD but have been using linux for quite some time and never 
come across this before on a system i have used. 
 
I have a question which i posted on a BSD forum concerning chkrootkit 
 and FreeBSD release 5.0. 
I installed FreeBSD and 2 days later when i ran chkrootkit i had the 
 following come up as being infected chfn, chsh, date,ls and ps. 
 
The forum admin said that this had already been noted and pointed me to  
here, 
http://www.freebsd.org/cgi/search.cgi?words=chkrootkit&max=25&sort=score&index=recent&source=freebsd-questions 
 
Having looked through the posts i can see that there has been an issue 
regarding FreeBSD and chkrootkit, however i thought i would have a look at 
'date' in /bin to be on the safe side. When i did 'strings date' i had the following 
which makes me think that the system is hosed. 
 
This is only extracts from the content i found in 'date' (it goes on for a few 
pages), and some of the other commands i checked have the same. 
 
---------------------------------------------------------------------------------------- 
 
fatal flex scanner internal error--no action found  
 fatal flex scanner internal error--end of buffer missed  
 input buffer overflow, can't enlarge buffer because scanner uses  
 REJECT  
 out of dynamic memory in yy_create_buffer()  
 out of dynamic memory in yy_scan_buffer()  
 out of dynamic memory in yy_scan_bytes()  
 input in flex scanner failed  
 bad buffer in yy_scan_bytes()  
 %s line %d: %s at '%s'  
 0123456789  
 0123456789abcdef  
 0123456789ABCDEF  
 %s:  
 Unknown error:  
 %u.%u.%u.%u  
 /usr/bin:/bin:/usr/sbin:/sbin:  
 0123456789abcdef  
 (null)  
 
RPC: Success  
 RPC: Can't encode arguments  
 RPC: Can't decode result  
 RPC: Unable to send  
 RPC: Unable to receive  
 RPC: Timed out  
 RPC: Authentication error  
 RPC: Program unavailable  
 RPC: Program/version mismatch  
 RPC: Procedure unavailable  
 RPC: Remote system error  
 RPC: Unknown host  
 RPC: Port mapper failure  
 RPC: Program not registered  
 RPC: Unknown protocol  
 RPC: (unknown error code)  
 
/var/run/rpcbind.sock  
 127.0.0.1  
 gethostbyname  
 gethostbyaddr  
 gethostby*.gethostanswer: asked for "%s", got "%s"  
 gethostby*.gethostanswer: asked for "%s %s %s", got type "%s"  
 Impossible condition (type=%d)  
 static buffer is too small (%d)  
 size (%d) too big  
 Too many addresses (%d)  
 res_search failed (%d)  
 
master.passwd.byname  
 passwd.adjunct.byname  
 passwd-%u  
 passwd  
 master.passwd.byuid  
 getpwcompat  
 passwd_compat  
 getpwent  
 getpwnam  
 getpwuid  
 /etc/spwd.db  
 /etc/pwd.db  
------------------------------------------------------------------------------- 
 
I have compared it with 'date' on another PC running Debian that one only 
shows text to do with date i.e months days etc. 
 
It's just when i posted this on the forum the admin said "I think that you are 
overanalyzing here... and many people had noticed this and it was due to 
FreeBSD 5.0 being unsupported by chkrootkit, but if i still thought i was hosed, 
then i should post to this mailing list. 
 
Have i been hosed or am i just overanalyzing? 
I would rather be over cautious that under cautious. 
 
	Tony. 
 
--  
NeoMail . 
http://neomail.sourceforge.net

More information about the freebsd-questions mailing list