chfn, date, chsh INFECTED according to chkrootkit

Tommy K tommy at berlin.homeunix.com
Wed Aug 18 08:56:52 PDT 2004 

Hello,

i have written the author of chkrootkit this mail.

Tommy

On Fri, Jul 02, 2004 at 01:20:50PM +0200, Tommy K wrote:
> Hello,
>
> i have tested chkrootkit on many FreeBSD 4.10** maschines and all of
the
> tested machines have the same INFECTED things.
>
> I think that is a bug in chkrootkit
>
> <snip>

Yes, you right.

I will fix it in the next version.

Thanks a lot for you bug report and interest in chkrootkit,

./nelson -murilo

> # chkrootkit
> ROOTDIR is `/'
> Checking `amd'... not infected
> Checking `basename'... not infected
> Checking `biff'... not infected
> Checking `chfn'... INFECTED
> Checking `chsh'... INFECTED
> Checking `cron'... not infected
> Checking `date'... INFECTED
> Checking `du'... not infected
> Checking `dirname'... not infected
> Checking `echo'... not infected
> Checking `egrep'... not infected
> Checking `env'... not infected
> </snip>
>
> Hopefully it could help you!
>
> Regards Tommy
>
> --
> Das B> Key fingerprint = BFED 7E4C 8B67 64C8 B210  89D1 5678 1A02 7354
> DFB5
>
> Thomas Kamann | Auszubildener - Anwendungsentwicklung


On Wed, Aug 18, 2004 at 05:11:02AM -0700, probsd org wrote:
> I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and
> noticed that chfn, date, and chsh showed as being
> infected. I remember reading post from the past that
> right now chkrootkit is giving alot of false
> positives, so I suspected that these 3 binaries are
> not bad.
> 
> However, to be on the safe side, I deleted the 3
> binaries, removed /usr/src and did a 'make world' to
> 4.10-STABLE.
>  
> But, chfn, cfsh, and date are stilling showing as
> infected.
> 
> Is my assumption that I am seeing a false positive
> correct, or anyone know of an exploit that would
> affect these 3 binaries ( and even after a 'make
> world' from clean src )?
> 
> Michael
> 
> 
> 
> 
> 	
> 		
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - 100MB free storage!
> http://promotions.yahoo.com/new_mail 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

-- 
Das Büro am Draht GmbH | Blücherstraße 22 | D-10961 Berlin
http://www.dasburo.com | http://tom.dasburo.com

Key fingerprint = BFED 7E4C 8B67 64C8 B210  89D1 5678 1A02 7354 DFB5

Thomas Kamann | Auszubildener - Anwendungsentwicklung

More information about the freebsd-security mailing list