False positives from chkrootkit? or hacked test server?
Matthew Seaman
m.seaman at infracaninophile.co.uk
Thu Apr 15 00:29:24 PDT 2004
On Wed, Apr 14, 2004 at 12:29:19PM -0700, Mike wrote:
> Well... I installed and ran chkrootkit. And the output shows that:
>
> Checking `chfn'... INFECTED
> Checking `chsh'... INFECTED
> Checking `date'... INFECTED
> Checking `ls'... INFECTED
> Checking `ps'... INFECTED
>
> No rootkits were found.
> Question: Does chkrootkit ever generate false positives?
In a word: yes. This was something that was quite a popular question
on this list some months back around the time of one of the earlier
5.x releases. I don't remember anyone mentioning this in the context
of 4.9 or earlier systems, but that could just be my memory failing.
http://lists.freebsd.org/pipermail/freebsd-security/2003-August/000755.html
For the rest of the traffic look at:
http://www.google.co.uk/search?hl=en&ie=UTF-8&oe=UTF-8&safe=off&q=site%3Alists.freebsd.org+chkrootkit+chfn+INFECTED&btnG=Search&meta=
(Nb. chkrootkit has since been fixed to work correctly under 5.x)
However see this:
http://lists.freebsd.org/pipermail/freebsd-ports/2004-April/011362.html
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040415/b4577f32/attachment.bin
More information about the freebsd-questions
mailing list