Running freeBSD 6.1 After changing chkrootkit to the latest version V. 0.47 and compiling it then running it I get the following: ==================<SNIPPIT>===============Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... INFECTED (PORTS: 6667) Checking `lkm'... You have 131 process hidden for readdir command chkproc: Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Checking `sniffer'... vr0 is not promisc Checking `w55808'... not infected Checking `wted'... chkwtmp: nothing deleted ==================</SNIPPIT>=============== Looking above, the above shows a few anomalies like the bindshell ... INFECTED (PORTS: 6667) --and-- Checking `lkm'... You have 131 process hidden for readdir command chkproc: Warning: Possible LKM Trojan installed I do run an IRCd, and also YABB Message board along with APACHE web server - would the above then be normal output, and what about the lkm? Many thanks to those with more experience in this area. JP
On Tuesday 20 November 2007 16:41:52 JP wrote:> Running freeBSD 6.1 > > After changing chkrootkit to the latest version V. 0.47 and compiling it > then running it I get the following: > > ==================<SNIPPIT>===============> Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... INFECTED (PORTS: 6667) > Checking `lkm'... You have 131 process hidden for readdir command > chkproc: Warning: Possible LKM Trojan installed > Checking `rexedcs'... not found > Checking `sniffer'... vr0 is not promisc > Checking `w55808'... not infected > Checking `wted'... chkwtmp: nothing deleted > ==================</SNIPPIT>===============> > Looking above, the above shows a few anomalies like the bindshell ... > INFECTED (PORTS: 6667) > --and-- > Checking `lkm'... You have 131 process hidden for readdir command > chkproc: Warning: Possible LKM Trojan installed > > I do run an IRCd, and also YABB Message board along with APACHE web > server - would the above then be normal output, and what about the lkm? > Many thanks to those with more experience in this area. >Such tools is known to trigger false positives sometimes. I'd recommend to play with some additional utilities like lsof. In case of bindshell try to find processes that was executed from world writable directories such as /tmp. Try to shutdown httpd and other daemons and see if any of them still running. -- ====================================================================== - Best regards, Nikolay Pavlov. <<<----------------------------------- ====================================================================== -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20071120/dd94b773/attachment.pgp
On Tue, 20 Nov 2007, JP wrote:> --and-- > Checking `lkm'... You have 131 process hidden for readdir command > chkproc: Warning: Possible LKM Trojan installedI wonder if it's trying to use procfs, which isn't mounted by default in FreeBSD, and as a result reporting that /proc is empty (which is expected). You could try mounting procfs and see if the message goes away, which would answer the question -- however, we don't generaly advise mounting procfs unless it is required, as it is a deprecated feature. Robert N M Watson Computer Laboratory University of Cambridge