False positives from chkrootkit? or hacked test server?

Bob Collins bobc at anything-inc.com
Wed Apr 14 13:44:20 PDT 2004

On Wed, Apr 14, 2004, Mike clacked the keyboard to produce:
> Greetings:
> My test system:
> FreeBSD 4.9-stable
> Pentium III 800
> I read an earlier post about using chkrootkit to check for root kits 
> (intrusions).  I'm still learning about FreeBSD so I thought I would run 
> this too.
> Well... I installed and ran chkrootkit. And the output shows that:
> Checking `chfn'... INFECTED
> Checking `chsh'... INFECTED
> Checking `date'... INFECTED
> Checking `ls'... INFECTED
> Checking `ps'... INFECTED
> No rootkits were found.
> This FreeBSD system is a test server running Postfix, Samba, Apache, 
> PHP4, MySql, and akpop3. For a firewall I run IPFW.
> This computer sits behind a NAT router (linksys BEFSR41).  The Linksys 
> router forwards a few ports (25, 110, 80) to a different server (a 
> Redhat-9 system). However, NO PORTS are forwarded to this FreeBSD system.
> My Redhat-9 server that runs Apache, Mysql, php4, and postfix.
> Question: Does chkrootkit ever generate false positives?

Michael, I cannot answer your question, but rather throw in my false
positive question as well.

I am running FBSD 5.0 release with named, Apache, MySQL, and Samba too.
I receieved the exact same positives from my system. Everything else is

In Googling I found a question as such and the only reply was FAQ and
read the archives, to wit, some joker has a name of chkrootkit and you
get a zillion of his mails, yet nothing helpful otherwise. Looking
forward to hearing something too.


"Play is the work of children. It's very serious stuff. And if it's
properly structured in a developmental program, children can blossom."
-Bob Keeshan aka `Captain Kangaroo'

More information about the freebsd-questions mailing list