Hacked or not ?
Matthew Seaman
m.seaman at infracaninophile.co.uk
Fri May 21 14:41:11 PDT 2004
On Fri, May 21, 2004 at 04:11:33PM -0400, Tom Rhodes wrote:
> On Fri, 21 May 2004 21:02:54 +0100
> Matthew Seaman <m.seaman at infracaninophile.co.uk> wrote:
>
> > On Fri, May 21, 2004 at 03:52:45PM +0200, RazorOnFreeBSD wrote:
> >
> > > I have a 4.9-STABLE FreeBSD box apparently hacked!
> > > Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.
> > > Those are:
> > > chfn ... INFECTED
> > > chsh ... INFECTED
> > > date ... INFECTED
> > > ls ... INFECTED
> > > ps ... INFECTED
> >
> > Sheesh. Not this *again*. This is a false alarm: chkrootkit is
> > exceedingly sensitive to something about the way such programs work
> > under FreeBSD and has to be continually futzed so that it knows not to
> > complain on each successive version of FreeBSD. Comes up in this or
> > other FreeBSD lists just about every week.
> >
> > Relax. You're not compromised. You just need better tools.
> >
>
> I love the "just need better tools." without any recommendation
> for him.
Well, the question was "has my machine been compromised", which I
answered.
The current version of chkrootkit in ports (0.43) has a problem
whereby it thinks FreeBSD 4.10 is a higher version than FreeBSD 5.0,
which means that it reports certain programs are infected because they
*don't* fail in the expected way found on 5.0 or above. Here's a
patch:
--- chkrootkit.orig Fri May 21 22:19:16 2004
+++ chkrootkit Fri May 21 22:36:29 2004
@@ -257,7 +257,7 @@
{
prog=""
if [ \( "${SYSTEM}" = "Linux" -o \( "${SYSTEM}" = "FreeBSD" -a \
- ${V} -gt 43 \) \) -a "${ROOTDIR}" = "/" ]; then
+ ${V} -gt 403 \) \) -a "${ROOTDIR}" = "/" ]; then
[ ! -x /usr/local/sbin/chkproc ] && prog="/usr/local/sbin/chkproc"
[ ! -x /usr/local/sbin/chkdirs ] && prog="$prog /usr/local/sbin/chkdirs"
if [ "$prog" != "" ]; then
@@ -1080,7 +1080,7 @@
STATUS=${INFECTED}
fi;;
FreeBSD)
- [ $V -gt 50 ] && n=1 || n=2
+ [ $V -gt 500 ] && n=1 || n=2
if [ `${strings} -a ${CMD} | \
${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]
then
@@ -1114,7 +1114,7 @@
fi
fi;;
FreeBSD)
- [ $V -gt 50 ] && n=1 || n=2
+ [ $V -gt 500 ] && n=1 || n=2
if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]
then
STATUS=${INFECTED}
@@ -1145,10 +1145,10 @@
ret=`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"`
if [ ${ret} -gt 0 ]; then
case ${ret} in
- 1) [ "${SYSTEM}" = "OpenBSD" -a ${V} -le 27 -o ${V} -ge 30 ] && \
+ 1) [ "${SYSTEM}" = "OpenBSD" -a ${V} -le 207 -o ${V} -ge 300 ] && \
STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
2) [ "${SYSTEM}" = "FreeBSD" -o ${SYSTEM} = "NetBSD" -o ${SYSTEM} = \
-"OpenBSD" -a ${V} -ge 28 ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
+"OpenBSD" -a ${V} -ge 208 ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
*) STATUS=${INFECTED};;
esac
@@ -1622,7 +1622,7 @@
expertmode_output "${ls} -l ${CMD}"
return 5
fi
- [ "${SYSTEM}" = "FreeBSD" -a $V -gt 50 ] &&
+ [ "${SYSTEM}" = "FreeBSD" -a $V -gt 500 ] &&
{
if [ `${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | \
${egrep} -c "$S_L"` -ne 2 ]; then
@@ -2398,9 +2398,9 @@
SYSTEM=`${uname} -s`
VERSION=`${uname} -r`
if [ "${SYSTEM}" != "FreeBSD" -a ${SYSTEM} != "OpenBSD" ] ; then
- V=44
+ V=404
else
- V=`echo $VERSION | cut -d- -f 1 | ${sed} 's/\.//g'`
+ V=$(( `echo $VERSION | cut -d- -f 1 | ${sed} 's/\./ * 100 + /g'` ))
fi
# ps command
Better tools in this case: in this case, I'd say tripwire or one of
the work-alikes.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040521/ee4ee2ce/attachment.bin
More information about the freebsd-security
mailing list