Do I have an infected init file?

Drew B. [Security Expertise/Freelance Security research]. d4rkstorm at gmail.com
Thu May 12 18:51:13 PDT 2005 

Hello,
I have used rootkit-hunter for Bsd, it can download MD5sums from
whitehat which contains 'current' sigs, not that this matters, it only
takes a good packagee,(ie file is encrypted, to bypass any rootkit
revealer etc)
 However i do recommend rootkit-hunter, http://www.rootkit.nl ,it just
runs when needed, (/rkhunter -c, /rkhunter --update), and it does a
VERY thorough job, I recommend runing it without update forst,then
update it, you will no doubt find some multiple package installs, wich
seems to be a major problem with this, older package info staying in
root,after package is updated.
Hope this info is of any help, i can provide a detailed log of a
rootkithunter.log..just ask me to attach a copy.
Regards,
Drew B.

On 5/13/05, Matt Piechota <piechota at argolis.org> wrote:
> On Thu, 12 May 2005, DH wrote:
> 
> > I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 &
> > 0.45 report that my /sbin/init file is infected.
> 
> I should mention that 4.10-release is up to p13.  You should really think
> about patching up to current.
> 
> > It appears as though the egrep for "UPX" in the output of "strings"
> > triggers the infected notice. When I copy the init file from an
> > uninfected box to this one chkrootkit continues to report it as
> > infected. Is chkrootkit reading a copy of the /sbin/init file stored in
> > active memory? If my machine is compromised, which rootkit is installed
> > / how can I find out which rootkit is installed?
> 
> The easiest way to figure out if you are rooted is probably to download or
> create a clean version of /sbin/init, and compare the two files.
> Creating might take some work, you'd have to install a clean 4.10, patch
> it to p2, and make world.
> 
> --
> Matt Piechota
> Key Available from pgp.mit.edu
> PGP Key fingerprint = FC90 4D65 2F8A 38E9 D1A8  FABB 7AE8 C194 5EC8 9CAD
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
> 


-- 
------------------------------------------
Drew B.
/* Security researcher/expert,threat-focus,Freelance */
------------------------------------------

More information about the freebsd-security mailing list