FreeBSD-chkrootkit-concerns
email
tony at armstrong.org.uk
Sun Apr 27 04:09:17 PDT 2003
hello,
I am new to BSD but have been using linux for quite some time and never
come across this before on a system i have used.
I have a question which i posted on a BSD forum concerning chkrootkit
and FreeBSD release 5.0.
I installed FreeBSD and 2 days later when i ran chkrootkit i had the
following come up as being infected chfn, chsh, date,ls and ps.
The forum admin said that this had already been noted and pointed me to
here,
http://www.freebsd.org/cgi/search.cgi?words=chkrootkit&max=25&sort=score&index=recent&source=freebsd-questions
Having looked through the posts i can see that there has been an issue
regarding FreeBSD and chkrootkit, however i thought i would have a look at
'date' in /bin to be on the safe side. When i did 'strings date' i had the following
which makes me think that the system is hosed.
This is only extracts from the content i found in 'date' (it goes on for a few
pages), and some of the other commands i checked have the same.
----------------------------------------------------------------------------------------
fatal flex scanner internal error--no action found
fatal flex scanner internal error--end of buffer missed
input buffer overflow, can't enlarge buffer because scanner uses
REJECT
out of dynamic memory in yy_create_buffer()
out of dynamic memory in yy_scan_buffer()
out of dynamic memory in yy_scan_bytes()
input in flex scanner failed
bad buffer in yy_scan_bytes()
%s line %d: %s at '%s'
0123456789
0123456789abcdef
0123456789ABCDEF
%s:
Unknown error:
%u.%u.%u.%u
/usr/bin:/bin:/usr/sbin:/sbin:
0123456789abcdef
(null)
RPC: Success
RPC: Can't encode arguments
RPC: Can't decode result
RPC: Unable to send
RPC: Unable to receive
RPC: Timed out
RPC: Authentication error
RPC: Program unavailable
RPC: Program/version mismatch
RPC: Procedure unavailable
RPC: Remote system error
RPC: Unknown host
RPC: Port mapper failure
RPC: Program not registered
RPC: Unknown protocol
RPC: (unknown error code)
/var/run/rpcbind.sock
127.0.0.1
gethostbyname
gethostbyaddr
gethostby*.gethostanswer: asked for "%s", got "%s"
gethostby*.gethostanswer: asked for "%s %s %s", got type "%s"
Impossible condition (type=%d)
static buffer is too small (%d)
size (%d) too big
Too many addresses (%d)
res_search failed (%d)
master.passwd.byname
passwd.adjunct.byname
passwd-%u
passwd
master.passwd.byuid
getpwcompat
passwd_compat
getpwent
getpwnam
getpwuid
/etc/spwd.db
/etc/pwd.db
-------------------------------------------------------------------------------
I have compared it with 'date' on another PC running Debian that one only
shows text to do with date i.e months days etc.
It's just when i posted this on the forum the admin said "I think that you are
overanalyzing here... and many people had noticed this and it was due to
FreeBSD 5.0 being unsupported by chkrootkit, but if i still thought i was hosed,
then i should post to this mailing list.
Have i been hosed or am i just overanalyzing?
I would rather be over cautious that under cautious.
Tony.
--
NeoMail .
http://neomail.sourceforge.net
More information about the freebsd-questions
mailing list