I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and noticed that chfn, date, and chsh showed as being infected. I remember reading post from the past that right now chkrootkit is giving alot of false positives, so I suspected that these 3 binaries are not bad. However, to be on the safe side, I deleted the 3 binaries, removed /usr/src and did a 'make world' to 4.10-STABLE. But, chfn, cfsh, and date are stilling showing as infected. Is my assumption that I am seeing a false positive correct, or anyone know of an exploit that would affect these 3 binaries ( and even after a 'make world' from clean src )? Michael __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail
On Wed, 18 Aug 2004 05:11:02 -0700 (PDT) probsd org <probsdorg@yahoo.com> wrote:> I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and > noticed that chfn, date, and chsh showed as being > infected. I remember reading post from the past that > right now chkrootkit is giving alot of false > positives, so I suspected that these 3 binaries are > not bad. > > However, to be on the safe side, I deleted the 3 > binaries, removed /usr/src and did a 'make world' to > 4.10-STABLE. > > But, chfn, cfsh, and date are stilling showing as > infected. > > Is my assumption that I am seeing a false positive > correct, or anyone know of an exploit that would > affect these 3 binaries ( and even after a 'make > world' from clean src )? > > Michael >These are false positives. I had this showing on a box of mine (chkrootkit-0.43). And What I did was remove the binarys and resync'ed my source and did a new build. But still, you can only be sure if you trust you CVS checkout. I have found it rather annyoing not have'ing checksums of each and every file in /usr/src. And having a "secure" (man-in-the-middle attack, etc comes in mind) way of optaining the checksum file.( A good shell script could verify the checkout and you could sleep easy ;) Do correct me about the checksums if I'm wrong. -- As far as the laws of mathematics refer to reality, they are not certain, and as far as they are certain, they do not refer to reality. -- Albert Einstein
* "Thordur Ivar B." <thib@mi.is> [2004-08-18 14:25 +0000]:> But still, you can only be sure if you trust you CVS checkout.And your compiler and other tools used to build everything. http://www.acm.org/classics/sep95/ Nicolas
Hello, i have written the author of chkrootkit this mail. Tommy On Fri, Jul 02, 2004 at 01:20:50PM +0200, Tommy K wrote:> Hello, > > i have tested chkrootkit on many FreeBSD 4.10** maschines and all ofthe> tested machines have the same INFECTED things. > > I think that is a bug in chkrootkit > > <snip>Yes, you right. I will fix it in the next version. Thanks a lot for you bug report and interest in chkrootkit, ./nelson -murilo> # chkrootkit > ROOTDIR is `/' > Checking `amd'... not infected > Checking `basename'... not infected > Checking `biff'... not infected > Checking `chfn'... INFECTED > Checking `chsh'... INFECTED > Checking `cron'... not infected > Checking `date'... INFECTED > Checking `du'... not infected > Checking `dirname'... not infected > Checking `echo'... not infected > Checking `egrep'... not infected > Checking `env'... not infected > </snip> > > Hopefully it could help you! > > Regards Tommy > > -- > Das B> Key fingerprint = BFED 7E4C 8B67 64C8 B210 89D1 5678 1A02 7354 > DFB5 > > Thomas Kamann | Auszubildener - AnwendungsentwicklungOn Wed, Aug 18, 2004 at 05:11:02AM -0700, probsd org wrote:> I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and > noticed that chfn, date, and chsh showed as being > infected. I remember reading post from the past that > right now chkrootkit is giving alot of false > positives, so I suspected that these 3 binaries are > not bad. > > However, to be on the safe side, I deleted the 3 > binaries, removed /usr/src and did a 'make world' to > 4.10-STABLE. > > But, chfn, cfsh, and date are stilling showing as > infected. > > Is my assumption that I am seeing a false positive > correct, or anyone know of an exploit that would > affect these 3 binaries ( and even after a 'make > world' from clean src )? > > Michael > > > > > > > __________________________________ > Do you Yahoo!? > New and Improved Yahoo! Mail - 100MB free storage! > http://promotions.yahoo.com/new_mail > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"-- Das Büro am Draht GmbH | Blücherstraße 22 | D-10961 Berlin http://www.dasburo.com | http://tom.dasburo.com Key fingerprint = BFED 7E4C 8B67 64C8 B210 89D1 5678 1A02 7354 DFB5 Thomas Kamann | Auszubildener - Anwendungsentwicklung
On Wed, 18 Aug 2004 16:49:49 +0200 Nicolas Rachinsky <list@rachinsky.de> wrote:> * "Thordur Ivar B." <thib@mi.is> [2004-08-18 14:25 +0000]: > > But still, you can only be sure if you trust you CVS checkout. > > And your compiler and other tools used to build everything. > > http://www.acm.org/classics/sep95/ > > Nicolas > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >Yes ofcourse you will need to trust your own toolchain and compiler (I keep "trusted" binarys on CD to use in cases like this. (And for post-mortem inspection.) -- Kv, thib[att]mi{dot}is A man can do as he will, but not will as he will. -- Arthur Schopenhauer