similar to: Security advice, please

Running freeBSD 6.1 After changing chkrootkit to the latest version V. 0.47 and compiling it then running it I get the following: ==================<SNIPPIT>================ Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... INFECTED (PORTS: 6667) Checking `lkm'... You have 131 process hidden for readdir

I have just run chkrootkit on my server and have the following two suspicious entries.. Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist and further down.. Checking `bindshell'... INFECTED (PORTS: 465) Anyone have any advice for getting rid of it?? Later..

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok...did some checking. I forgot to mention that I killed dead syslogd. Not just a -HUP but an actual kill and restarted. I did this several times. I was trying to get something else to work. Anyway, I killed it again this morning and restarted. The infect message went away immediately. Could this have been the problem? -

Hello; I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 & 0.45 report that my /sbin/init file is infected. It appears as though the egrep for "UPX" in the output of "strings" triggers the infected notice. When I copy the init file from an uninfected box to this one chkrootkit continues to report it as infected. Is chkrootkit reading a copy of the

I was running some benchmarks and trying to tune speed between a samba 3.6.22 server and win7. My primary benchmark is using 'dd' on windows to read/write to device files in my home directory to eliminate effects of disk latency. So for reads, I transfer from h:/zero and for writes I write to h:/null. Where h: is my unix home dir. (for the other end of the transfer, I use /dev/null and

Has anyone else seen chkrootkit (version 0.43) on 4.10-prerelease or later report chfn, chsh, and date as infected? I built world yesterday, and my nightly chkrootkit reports this on run. I've replaced the binaries with their 4.9 equivalents, and things don't report as infected. I upgrade the 4.9 machine to 4.10, and chkrootkit reports them as infected again. Is this similar to the

I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and noticed that chfn, date, and chsh showed as being infected. I remember reading post from the past that right now chkrootkit is giving alot of false positives, so I suspected that these 3 binaries are not bad. However, to be on the safe side, I deleted the 3 binaries, removed /usr/src and did a 'make world' to 4.10-STABLE. But, chfn,

Hi, I have a 4.9-STABLE FreeBSD box apparently hacked! Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. Those are: chfn ... INFECTED chsh ... INFECTED date ... INFECTED ls ... INFECTED ps ... INFECTED But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED. I know by the FreeBSD-Security archives that

Hey all, I've submitted a fix for chkrootkit port, to solve the false positives on FreeBSD 5 and higher: http://www.freebsd.org/cgi/query-pr.cgi?pr=55919 The topic, btw, should be "Teach security/chkrootkit about FreeBSD 5", but it's not my first typo today. Maintainer, please approve. Authors, please see if you can include the changes. I also fixed a minor bug in chk_vdir.

Hi! Running chkrootkit on newly installed FreeBSD 5.0 got: -cut- Checking `basename'... not infected Checking `biff'... not infected Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `cron'... not infected Checking `date'... INFECTED -cut- Checking `ls'... INFECTED -cut- Checking `ps'... INFECTED Checking `pstree'... not found -cut- What does it

Good morning all; Whils't running chkrootkit 0.42 on one of my 4.7-REL boxen it reported : <snip> Checking 'biff'...not infected ]: not found [: -ne: argument expected Checking 'chfn'...not infected ]: not found [: -ne: argument expected <snip> I've been unable to locate any information ref. the " ]: not found " and " [: -ne: argument

Good evening, I was finish the FreeBSD4.9 installation from CD, and only do some edit with the /etc/rc.firewall, /etc/rc.conf, /boot/defaults/loader.conf, and recompiling the kernel to support my ext2 backup harddisk, with sndcard support too. This's a old laptop (ibm380z), i have chkrootkit warning after all finished, i attached my uname -a, dmesg, pkg_info and chkrootkit result, please

I have been googling and searching the archive , haven''t got anything helpful. Would appreciate any help. Got the follow error when trying to start a domain using NFS root IP-Config: Incomplete network configuration information. Looking up port of RPC 100003/2 on 10.10.24.141 <http://10.10.24.141> RPC: sendmsg returned error 101 portmap: RPC call returned error 101 Root-NFS:

Hi all, I have a requirement to run NFS read-only in an Internet-facing colocation environment. I am not happy with packet filters alone around rpcbind, call me paranoid, so I just spent the last few minutes cutting this patch. As you are aware, RPC applications can be forced to listen on a known port through the sin/sa argument to bindresvport[_sa](). Why several Linux distributions have this

Hi all, Which ports do I need to have open on an NFS client's firewall to allow it to connect to a remote NFS servers? When I disable iptables (using ConfigServerFirewall), it connects fine, but as soon as I enable it, NFS gives me this error: root at saturn:[~]$ mount master1.mydomain.co.za:/saturn /bck mount: mount to NFS server 'master1.mydomain.co.za' failed: RPC Error: Unable to

Hello. My server was hacked. The CPU has been loaded on 99 % by "sh -i" process. I found out that someone has started phpshell through a hole in one of phpbb forums. Also has filled in scripts for flud and spam and "vadim script" in "/tmp". I has made it noexec. Recently has found out the same process. May be i have left again /tmp opened, or other hole may

My machine got hacked a few days ago through the samba bug. I reinstalled everything cvsuped src-all, and ran chkrootkit. No more LKM but still... Can anyone please advise ? bash-2.05b# chkrootkit | grep INFECTED Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED -- Jay -------------- next

Hi all, I've been making a wrapper script for the backup tool 'duplicity', allowing me to create config files for each resource, wherein I define whether a snapshot should be made prior to backing up the resource or not. Now I find that my snapshots never change .... The script creates a snapshot, creates md device, mounts it, runs backup against the mounted snapshot,

Below is a cut and past from my log files that are sent to me. This is from the last day that proftpd worked correctly. I'm not sure why proftpd was restarted as the log states: ################### LogWatch 5.2.2 (06/23/04) #################### Processing Initiated: Sun Feb 19 09:02:02 2006 Date Range Processed: yesterday Detail Level of Output: 0 Logfiles

is it possible to set up NFS on centos 5.5 so that it uses *only* version 4? i tried this not that long ago on fedora and was surprised to see a complaint when i tried to start the server and was told that i was missing required functionality of NFSv1, or something equally weird. i'll check the /etc/init.d/nfs script, but i think what got me into trouble was trying to use the entire set of