False positives from chkrootkit? or hacked test server?
m.seaman at infracaninophile.co.uk
Thu Apr 15 00:29:24 PDT 2004
On Wed, Apr 14, 2004 at 12:29:19PM -0700, Mike wrote:
> Well... I installed and ran chkrootkit. And the output shows that:
> Checking `chfn'... INFECTED
> Checking `chsh'... INFECTED
> Checking `date'... INFECTED
> Checking `ls'... INFECTED
> Checking `ps'... INFECTED
> No rootkits were found.
> Question: Does chkrootkit ever generate false positives?
In a word: yes. This was something that was quite a popular question
on this list some months back around the time of one of the earlier
5.x releases. I don't remember anyone mentioning this in the context
of 4.9 or earlier systems, but that could just be my memory failing.
For the rest of the traffic look at:
(Nb. chkrootkit has since been fixed to work correctly under 5.x)
However see this:
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040415/b4577f32/attachment.bin
More information about the freebsd-questions