similar to: chkrootkit reports INFECTED :(

I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and noticed that chfn, date, and chsh showed as being infected. I remember reading post from the past that right now chkrootkit is giving alot of false positives, so I suspected that these 3 binaries are not bad. However, to be on the safe side, I deleted the 3 binaries, removed /usr/src and did a 'make world' to 4.10-STABLE. But, chfn,

Has anyone else seen chkrootkit (version 0.43) on 4.10-prerelease or later report chfn, chsh, and date as infected? I built world yesterday, and my nightly chkrootkit reports this on run. I've replaced the binaries with their 4.9 equivalents, and things don't report as infected. I upgrade the 4.9 machine to 4.10, and chkrootkit reports them as infected again. Is this similar to the

Hey all, I've submitted a fix for chkrootkit port, to solve the false positives on FreeBSD 5 and higher: http://www.freebsd.org/cgi/query-pr.cgi?pr=55919 The topic, btw, should be "Teach security/chkrootkit about FreeBSD 5", but it's not my first typo today. Maintainer, please approve. Authors, please see if you can include the changes. I also fixed a minor bug in chk_vdir.

My machine got hacked a few days ago through the samba bug. I reinstalled everything cvsuped src-all, and ran chkrootkit. No more LKM but still... Can anyone please advise ? bash-2.05b# chkrootkit | grep INFECTED Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED -- Jay -------------- next

Hi, I have a 4.9-STABLE FreeBSD box apparently hacked! Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. Those are: chfn ... INFECTED chsh ... INFECTED date ... INFECTED ls ... INFECTED ps ... INFECTED But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED. I know by the FreeBSD-Security archives that

Hello! I've found that on two FreeBSD 4.5-RELEASE boxes chkrootkit finds: Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED recompiling, say, ls from souces didn't help. False positive or source changed as well? -- Alex.

Good morning all; Whils't running chkrootkit 0.42 on one of my 4.7-REL boxen it reported : <snip> Checking 'biff'...not infected ]: not found [: -ne: argument expected Checking 'chfn'...not infected ]: not found [: -ne: argument expected <snip> I've been unable to locate any information ref. the " ]: not found " and " [: -ne: argument

Hey, Gang! To ensure that a file hasn't been corrupted or tampered with, you can use rpm to verify the package it came from. Well, I found this: rpm -Vv util-linux .... ........ /usr/bin/cal S.?..... /usr/bin/chfn ........ /usr/bin/chrt S.?..... /usr/bin/chsh .... Does anyone else get this? And what would be the proper course of action at this point? Thanks mucho. --

[mod: Just to show you that people DO get bitten after a bugwarning has gone out on linux-security..... -- REW] -----BEGIN PGP SIGNED MESSAGE----- Content-Type: text/plain; charset=us-ascii Has anyone been hit with the Bind Inverse Query Buffer Overrun on their Linux servers? We have had 3 servers attacked using this expoit and all of the machines had several binaries replaced with trojan

On 08/02/15 06:51, Jason Long wrote: > Thanks a lot. > > [root at printmah ~]# getent passwd jason > jason:*:11303:10513:jason JASON:/home/JASONDOMAIN/jason:/bin/false > > But I can't login to Linux via AD username and it show me : > > > > Last login: Sun Feb 8 01:48:32 2015 > Could not chdir to home directory /home/JASONDOMAIN/jason: No such file or directory

Running freeBSD 6.1 After changing chkrootkit to the latest version V. 0.47 and compiling it then running it I get the following: ==================<SNIPPIT>================ Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... INFECTED (PORTS: 6667) Checking `lkm'... You have 131 process hidden for readdir

prepping to teach a 5-day CompTIA linux+ course next week with CompTIA-supplied courseware and, given that it was my choice, i chose to set up the classroom with centos 7.4 on all the student systems since i assume most students are there to learn sysadmin and that's the most likely platform they'll have when they get back to work. also, most students are taking this course to prep for the

Hello; I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 & 0.45 report that my /sbin/init file is infected. It appears as though the egrep for "UPX" in the output of "strings" triggers the infected notice. When I copy the init file from an uninfected box to this one chkrootkit continues to report it as infected. Is chkrootkit reading a copy of the

How can I be sure if it is LKM or not? Today I've run chkrootkit and it gave me: Checking `lkm'... You have 179 process hidden for readdir command You have 179 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root

Hello, last night, my chkrootkit crontab returned an alarm message : > Checking `lkm'... You have 1 process hidden for readdir command > You have 2 process hidden for ps command > Warning: Possible LKM Trojan installed Some research on google make me think it's probably a false positive. I tried few things : re-launching chkrootkit : "Checking `lkm'...

On 09/02/15 06:29, Jason Long wrote: > Thanks. > I added the Two lines to "smb.conf" but I got below error : > > Could not chdir to home directory /home/jason: No such file or directory > mkdir: cannot create directory ?/home/jason?: Permission denied > -sh-4.2$ > > > About "PAM", I have not the file that you said : > > > [root at printmah

In the winbind docs it says the following: "In /etc/pam.d/* replace the auth lines with something like this:" By this (/etc/pam.d/*) do they mean that we change ALL the files in that directory? If not, what files do we change? Another set of docs i read for winbind stated that i should change the /etc/pam.d/samba file, but on my TurboLinux 6.5 and RH 7.1 systems that file doesn't

Source: xen Severity: grave Tags: security Hi, the following security issues apply to Xen in jessie: CVE-2014-5146,CVE-2014-5149: https://marc.info/?l=oss-security&m=140784877111813&w=2 CVE-2014-8594: https://marc.info/?l=oss-security&m=141631359901060&w=2 CVE-2014-8595: https://marc.info/?l=oss-security&m=141631352601020&w=2 Cheers, Moritz

On Tue, Aug 16, 2011 at 09:40:44PM +0530, Kashyap Chamarthy wrote: > Hm..it's been 10 mins..I don't see anything more in the file where I > redirected stdout of 'febootstrap' cmd. > > Roughly, can you guess how much time this takes? For me it has so far taken a lot longer. The problem is that the number of dependent packages is probably 100s. If you want something

Hello, Please, don't use chkrootkit 0.46 on production machines. The "chkproc" process sends a SIGXFSZ (25) signal to init, that interprets this signal as a "disaster" and reboots after a 30s sleep. I'm contacting the chkrootkit maintainer to fix this problem. Sorry, Cordeiro