False positives from chkrootkit? or hacked test server?

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Apr 15 00:29:24 PDT 2004


On Wed, Apr 14, 2004 at 12:29:19PM -0700, Mike wrote:

> Well... I installed and ran chkrootkit. And the output shows that:
> 
> Checking `chfn'... INFECTED
> Checking `chsh'... INFECTED
> Checking `date'... INFECTED
> Checking `ls'... INFECTED
> Checking `ps'... INFECTED
> 
> No rootkits were found.

> Question: Does chkrootkit ever generate false positives?

In a word: yes.  This was something that was quite a popular question
on this list some months back around the time of one of the earlier
5.x releases.  I don't remember anyone mentioning this in the context
of 4.9 or earlier systems, but that could just be my memory failing.

   http://lists.freebsd.org/pipermail/freebsd-security/2003-August/000755.html

For the rest of the traffic look at:

   http://www.google.co.uk/search?hl=en&ie=UTF-8&oe=UTF-8&safe=off&q=site%3Alists.freebsd.org+chkrootkit+chfn+INFECTED&btnG=Search&meta=

(Nb. chkrootkit has since been fixed to work correctly under 5.x)

However see this:

    http://lists.freebsd.org/pipermail/freebsd-ports/2004-April/011362.html

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040415/b4577f32/attachment.bin


More information about the freebsd-questions mailing list