False positives from chkrootkit? or hacked test server? [SOLVED]

Mike addymin at pacbell.net
Wed Apr 14 14:10:40 PDT 2004 

Jeff Maxwell wrote:

> upgrade your ports. The chkrootkit that ships with 4.9 gives false 
> positives
> 

Jeff:

Thanks for the tip.

I deinstalled the chkrootkit (v-4.1) that came with 4.9.  I then 
downloaded and installed the most recent version (v-4.3) from the 
chkrootkit.org site.

I re-ran chkrootkit and found NO infected files and NO rootkits.

Michael Chinn
> 
> 
> On Apr 14, 2004, at 3:29 PM, Mike wrote:
> 
>> Greetings:
>>
>> My test system:
>> FreeBSD 4.9-stable
>> Pentium III 800
>>
>> I read an earlier post about using chkrootkit to check for root kits 
>> (intrusions).  I'm still learning about FreeBSD so I thought I would 
>> run this too.
>>
>> Well... I installed and ran chkrootkit. And the output shows that:
>>
>> Checking `chfn'... INFECTED
>> Checking `chsh'... INFECTED
>> Checking `date'... INFECTED
>> Checking `ls'... INFECTED
>> Checking `ps'... INFECTED
>>
>> No rootkits were found.
>>
>> This FreeBSD system is a test server running Postfix, Samba, Apache, 
>> PHP4, MySql, and akpop3. For a firewall I run IPFW.
>>
>> This computer sits behind a NAT router (linksys BEFSR41).  The Linksys 
>> router forwards a few ports (25, 110, 80) to a different server (a 
>> Redhat-9 system). However, NO PORTS are forwarded to this FreeBSD system.
>>
>> My Redhat-9 server that runs Apache, Mysql, php4, and postfix.
>>
>> Question: Does chkrootkit ever generate false positives?
>>
>> This system has just few test websites on it (test data) and nothing 
>> else.  But if this system has been compromised, then how?  Given that 
>> any public services (forwarded from the router) coming across ports 
>> 25, 110, 80, 22 are sent to a different server altogether?
>>
>> I would appreciate any hints or pointers.  Thank you.
>>
>> Michael Chinn
>>
>>
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to 
>> "freebsd-questions-unsubscribe at freebsd.org"
>>
>

More information about the freebsd-questions mailing list