False positives from chkrootkit? or hacked test server? [SOLVED]
addymin at pacbell.net
Wed Apr 14 14:10:40 PDT 2004
Jeff Maxwell wrote:
> upgrade your ports. The chkrootkit that ships with 4.9 gives false
Thanks for the tip.
I deinstalled the chkrootkit (v-4.1) that came with 4.9. I then
downloaded and installed the most recent version (v-4.3) from the
I re-ran chkrootkit and found NO infected files and NO rootkits.
> On Apr 14, 2004, at 3:29 PM, Mike wrote:
>> My test system:
>> FreeBSD 4.9-stable
>> Pentium III 800
>> I read an earlier post about using chkrootkit to check for root kits
>> (intrusions). I'm still learning about FreeBSD so I thought I would
>> run this too.
>> Well... I installed and ran chkrootkit. And the output shows that:
>> Checking `chfn'... INFECTED
>> Checking `chsh'... INFECTED
>> Checking `date'... INFECTED
>> Checking `ls'... INFECTED
>> Checking `ps'... INFECTED
>> No rootkits were found.
>> This FreeBSD system is a test server running Postfix, Samba, Apache,
>> PHP4, MySql, and akpop3. For a firewall I run IPFW.
>> This computer sits behind a NAT router (linksys BEFSR41). The Linksys
>> router forwards a few ports (25, 110, 80) to a different server (a
>> Redhat-9 system). However, NO PORTS are forwarded to this FreeBSD system.
>> My Redhat-9 server that runs Apache, Mysql, php4, and postfix.
>> Question: Does chkrootkit ever generate false positives?
>> This system has just few test websites on it (test data) and nothing
>> else. But if this system has been compromised, then how? Given that
>> any public services (forwarded from the router) coming across ports
>> 25, 110, 80, 22 are sent to a different server altogether?
>> I would appreciate any hints or pointers. Thank you.
>> Michael Chinn
>> freebsd-questions at freebsd.org mailing list
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions