False positives from chkrootkit? or hacked test server?

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Apr 15 00:29:24 PDT 2004

On Wed, Apr 14, 2004 at 12:29:19PM -0700, Mike wrote:

> Well... I installed and ran chkrootkit. And the output shows that:
> Checking `chfn'... INFECTED
> Checking `chsh'... INFECTED
> Checking `date'... INFECTED
> Checking `ls'... INFECTED
> Checking `ps'... INFECTED
> No rootkits were found.

> Question: Does chkrootkit ever generate false positives?

In a word: yes.  This was something that was quite a popular question
on this list some months back around the time of one of the earlier
5.x releases.  I don't remember anyone mentioning this in the context
of 4.9 or earlier systems, but that could just be my memory failing.


For the rest of the traffic look at:


(Nb. chkrootkit has since been fixed to work correctly under 5.x)

However see this:




Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040415/b4577f32/attachment.bin

More information about the freebsd-questions mailing list