HELP - Rootkit - add info

Lowell Gilbert freebsd-questions-local at
Tue May 20 19:55:57 PDT 2003

Guy Van Sanden <n.b at> writes:

> I forgot to mention some basic stuff (the idea that my box could be
> hacked scares the living daylight out of me).
> I run FreeBSD 5.0-RELEASE (patches applied)
> the md5sums of the files in question match those on (of
> course md5 could be hacked as well).
> Last does not report any strange connections, and I can't find anything
> on my firewall that indicates this too.
> I ran aide (against an old database), and it doesn't report these files
> as changed either (which also is inconclusive).
> I'm currently running clamscan on everything, but thats going to take a
> while.
> Thanks for any help
> -----Forwarded Message-----
> From: Guy Van Sanden <n.b at>
> To: freebsd-questions at
> Subject: HELP - Rootkit
> Date: 20 May 2003 21:18:38 +0200
> I found some strange files in /stand namely -sh and [
> This got me somewhat suspicious, so I installed chkrootkit.

There are supposed to be files by those names.
Also, chrootkit is known to give false positives on FreeBSD 5.x.

This doesn't guarantee that you're uninfected, but so far everything
you've described is the same as a clean install.

More information about the freebsd-questions mailing list