False positives from chkrootkit? or hacked test server?

Martin Hudec corwin at aeternal.net
Wed Apr 14 14:42:39 PDT 2004

Hello all,

On Wed, Apr 14, 2004 at 02:11:34PM -0700 or thereabouts, Mike wrote:
> Jeff Maxwell wrote:
> >upgrade your ports. The chkrootkit that ships with 4.9 gives false 
> >positives
> >

	I'm using chrootkit from fresh ports update (v4.3). Results are as:

System 1 on 4.9-STABLE:
nothing found

System 2 on 4.10-BETA:
chfn, chsh, date infected

System 3 on 5.2.1-RELEASE-p4:
date infected, stops (freezes) at checking 'lkm'

strace shows:
wait4(-1, Process 610 attached - interrupt to quit

	Systems are behind two firewalls, with only ssh allowed (5.x) or
ftp, ssh, smtp, www, pop3 and https allowed (4.x).

Martin Hudec		| corwin at aeternal.net
			| corwin at web.markiza.sk
http://www.aeternal.net	| cell +421 907 303 393

More information about the freebsd-questions mailing list