freebsd security - May 2005 - Do I have an infected init file?

Hello;

I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 &
0.45 report that my /sbin/init file is infected.

It appears as though the egrep for "UPX" in the output of
"strings" triggers the infected notice. When I copy the init file from
an uninfected box to this one chkrootkit continues to report it as infected. Is
chkrootkit reading a copy of the /sbin/init file stored in active memory? If my
machine is compromised, which rootkit is installed / how can I find out which
rootkit is installed?

As a side note, neither Kaspersky AV nor rkhunter report any infections.
Attached is some of the debug output.

Thanks in advance to any respondents.

Sincerely;

David Hutchens III



		
---------------------------------
Discover Yahoo!
 Find restaurants, movies, travel & more fun for the weekend. Check it out!

On Thu, 12 May 2005, DH wrote:
> I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44
&
> 0.45 report that my /sbin/init file is infected.
I should mention that 4.10-release is up to p13.  You should really think 
about patching up to current.
> It appears as though the egrep for "UPX" in the output of
"strings"
> triggers the infected notice. When I copy the init file from an 
> uninfected box to this one chkrootkit continues to report it as 
> infected. Is chkrootkit reading a copy of the /sbin/init file stored in 
> active memory? If my machine is compromised, which rootkit is installed 
> / how can I find out which rootkit is installed?
The easiest way to figure out if you are rooted is probably to download or 
create a clean version of /sbin/init, and compare the two files. 
Creating might take some work, you'd have to install a clean 4.10, patch 
it to p2, and make world.

-- 
Matt Piechota
Key Available from pgp.mit.edu
PGP Key fingerprint = FC90 4D65 2F8A 38E9 D1A8  FABB 7AE8 C194 5EC8 9CAD