similar to: really clean install?

Good morning all; Whils't running chkrootkit 0.42 on one of my 4.7-REL boxen it reported : <snip> Checking 'biff'...not infected ]: not found [: -ne: argument expected Checking 'chfn'...not infected ]: not found [: -ne: argument expected <snip> I've been unable to locate any information ref. the " ]: not found " and " [: -ne: argument

cd `dirname dlls/__install-lib__` && make install-lib rm -f libdxerr8.a && ln -s dxerr8/libdxerr8.a libdxerr8.a rm -f libdxerr9.a && ln -s dxerr9/libdxerr9.a libdxerr9.a rm -f libdxguid.a && ln -s dxguid/libdxguid.a libdxguid.a rm -f libuuid.a && ln -s uuid/libuuid.a libuuid.a cd `dirname advapi32/__install__` && make install

Has anyone else seen chkrootkit (version 0.43) on 4.10-prerelease or later report chfn, chsh, and date as infected? I built world yesterday, and my nightly chkrootkit reports this on run. I've replaced the binaries with their 4.9 equivalents, and things don't report as infected. I upgrade the 4.9 machine to 4.10, and chkrootkit reports them as infected again. Is this similar to the

I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and noticed that chfn, date, and chsh showed as being infected. I remember reading post from the past that right now chkrootkit is giving alot of false positives, so I suspected that these 3 binaries are not bad. However, to be on the safe side, I deleted the 3 binaries, removed /usr/src and did a 'make world' to 4.10-STABLE. But, chfn,

Hi, I have a 4.9-STABLE FreeBSD box apparently hacked! Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. Those are: chfn ... INFECTED chsh ... INFECTED date ... INFECTED ls ... INFECTED ps ... INFECTED But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED. I know by the FreeBSD-Security archives that

Hey all, I've submitted a fix for chkrootkit port, to solve the false positives on FreeBSD 5 and higher: http://www.freebsd.org/cgi/query-pr.cgi?pr=55919 The topic, btw, should be "Teach security/chkrootkit about FreeBSD 5", but it's not my first typo today. Maintainer, please approve. Authors, please see if you can include the changes. I also fixed a minor bug in chk_vdir.

Hi! Running chkrootkit on newly installed FreeBSD 5.0 got: -cut- Checking `basename'... not infected Checking `biff'... not infected Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `cron'... not infected Checking `date'... INFECTED -cut- Checking `ls'... INFECTED -cut- Checking `ps'... INFECTED Checking `pstree'... not found -cut- What does it

-- _______________________________________________ Get your free email from http://mymail.bsdmail.com Powered by Outblaze -------------- next part -------------- A non-text attachment was scrubbed... Name: chkrootkit.20031113 Type: application/octet-stream Size: 3948 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20031113/206f8da5/chkrootkit.obj

I have just run chkrootkit on my server and have the following two suspicious entries.. Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist and further down.. Checking `bindshell'... INFECTED (PORTS: 465) Anyone have any advice for getting rid of it?? Later..

Hello Guyz, I am facing a problem while trying to compile ezstream 0.1.2. First some information about my setup: nsti# uname -a FreeBSD nsti.localdomain 4.9-RELEASE-p7 FreeBSD 4.9-RELEASE-p7 #0: Thu May 13 21:46:04 IST 2004 prince@nsti.localdomain:/usr/obj/usr/src/sys/NSTI i386 nsti# pkg_info BitchX-1.1 "An alternative ircII color client with optional GTK/GNOME

My machine got hacked a few days ago through the samba bug. I reinstalled everything cvsuped src-all, and ran chkrootkit. No more LKM but still... Can anyone please advise ? bash-2.05b# chkrootkit | grep INFECTED Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED -- Jay -------------- next

Hello; I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 & 0.45 report that my /sbin/init file is infected. It appears as though the egrep for "UPX" in the output of "strings" triggers the infected notice. When I copy the init file from an uninfected box to this one chkrootkit continues to report it as infected. Is chkrootkit reading a copy of the

Running freeBSD 6.1 After changing chkrootkit to the latest version V. 0.47 and compiling it then running it I get the following: ==================<SNIPPIT>================ Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... INFECTED (PORTS: 6667) Checking `lkm'... You have 131 process hidden for readdir

Below is a cut and past from my log files that are sent to me. This is from the last day that proftpd worked correctly. I'm not sure why proftpd was restarted as the log states: ################### LogWatch 5.2.2 (06/23/04) #################### Processing Initiated: Sun Feb 19 09:02:02 2006 Date Range Processed: yesterday Detail Level of Output: 0 Logfiles

I run chkrootkit daily. For the first time I've got reports of a problem - Checking `bindshell'... INFECTED (PORTS: 1008) The page http://fatpenguinblog.com/scott-rippee/checking-bindshell-infected- ports-1008/ suggests that this might be a false positive, so I ran 'netstat - tanup' but unlike the report, it wasn't famd on the port. It was tcp 0 0 0.0.0.0:1008

Hi all, I need to install an anti-rootkid in a lot of servers. I know that there're several options: tripwire, aide, chkrootkit... ?What do you prefer? Obviously, I have to define my needs: - easy setup and configuration - actively developed -- Thanks, Jordi Espasa Clofent

Hello guys, Whats is the best way to identify a possible user using a botnet with php in the server? And if he is using GET commands for example in other server. Does apache logs outbound conections ? If it is using a file that is not malicious the clam av would not identify. Thanks

Hi, sorry if this isn't the right place to post, but I'm having some trouble figuring out a spamming issue. If anyone here can help, that'd be amazing. I'm running Brian's CentOS/BlueQuartz CD, version 3.5 from Nuonce.net. Everything seemed to be running fine for several days until this morning, when I received a zillion "returned mail" notices from the mailer

I have a server that has been compromised. I'm running version 4.6.2 when I do >last this line comes up in the list. shutdown ~ Thu Aug 28 05:22 That was the time the server went down. There seemed to be some configuration changes. Some of the files seemed to revert back to default versions (httpd.conf, resolv.conf) Does anyone have a clue what type of

I think Jim (the other one) is doing a marvellous job with extras and plus but he needs to expand the size of his tent. A sensible package policy in extras/plus repo will mean fewer temptations to install 3rd party repo's that can break your system. Some of the packages i would like to see are :- - MySQL 5 rpms - php 5 rpms (already provided) - Open Office 2.0 rpms - webmin - rkhunter -