Displaying 20 results from an estimated 2000 matches similar to: "rootkit"
2007 Nov 20
2
chkrootkit V. 0.47
Running freeBSD 6.1
After changing chkrootkit to the latest version V. 0.47 and compiling it then
running it I get the following:
==================<SNIPPIT>================
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 6667)
Checking `lkm'... You have 131 process hidden for readdir
2006 Feb 18
0
Does your rkhunter do an md5 check?
I rebuilt rkhunter-1.2.8-1.noarch.rpm by using the spec and tgz from
the rkhunter site (www.rootkit.nl). (I rebuilt it using his
instructions.) However rkhunter does not do an md5 check. The box
used to have fedora and each time there were updates it would
complain that the some of the md5's don't match. I contacted the
author using his contact feature on Wednesday but he hasn't
2008 Jan 13
3
Anti-Rootkit app
Hi all,
I need to install an anti-rootkid in a lot of servers. I know that
there're several options: tripwire, aide, chkrootkit...
?What do you prefer?
Obviously, I have to define my needs:
- easy setup and configuration
- actively developed
--
Thanks,
Jordi Espasa Clofent
2005 May 12
1
Do I have an infected init file?
Hello;
I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 & 0.45 report that my /sbin/init file is infected.
It appears as though the egrep for "UPX" in the output of "strings" triggers the infected notice. When I copy the init file from an uninfected box to this one chkrootkit continues to report it as infected. Is chkrootkit reading a copy of the
2004 May 21
12
Hacked or not ?
Hi,
I have a 4.9-STABLE FreeBSD box apparently hacked!
Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.
Those are:
chfn ... INFECTED
chsh ... INFECTED
date ... INFECTED
ls ... INFECTED
ps ... INFECTED
But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED.
I know by the FreeBSD-Security archives that
2003 Mar 30
2
Bindshell rootkit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ok...did some checking. I forgot to mention that I killed dead syslogd. Not just a -HUP but an actual kill and restarted. I did this several times. I was trying to get something else to work.
Anyway, I killed it again this morning and restarted. The infect message went away immediately.
Could this have been the problem?
-
2004 May 01
3
chkrootkit and 4.10-prerelease issues?
Has anyone else seen chkrootkit (version 0.43) on 4.10-prerelease or
later report chfn, chsh, and date as infected?
I built world yesterday, and my nightly chkrootkit reports this on run.
I've replaced the binaries with their 4.9 equivalents, and things don't
report as infected. I upgrade the 4.9 machine to 4.10, and chkrootkit
reports them as infected again.
Is this similar to the
2003 Apr 13
1
chfn, chsh, ls, ps - INFECTED
My machine got hacked a few days ago through the samba bug. I
reinstalled everything cvsuped src-all, and ran chkrootkit. No more LKM
but still...
Can anyone please advise ?
bash-2.05b# chkrootkit | grep INFECTED
Checking `chfn'... INFECTED
Checking `chsh'... INFECTED
Checking `date'... INFECTED
Checking `ls'... INFECTED
Checking `ps'... INFECTED
--
Jay
-------------- next
2008 Sep 01
1
How to check for rootkit, troians etc in backed up files?
Hi,
there is a remote (VPS) Centos 4.2 server which *may* have been
compromised. Reinstalling everything from scratch isn't a problem, it
may even be an occasion to improve a few things, the question is
another.
There are backups of necessary shell script, ASCII configuration files
and more or less important email (maildir format, if it matters)
including messages with binary attachments in
2008 Jan 29
5
Unknown rootkit causes compromised servers
Here is the applicable article:
http://www.linux.com/feature/125548
There are links in the above article that explain tests for the system
and what is currently known about the rootkit.
Apparently initial access is NOT via any vulnerability but just guessed
root passwords.
There are currently 2 methods to see if you are infected:
1. In some cases, the root kit causes you to not be able to
2004 Aug 18
4
chfn, date, chsh INFECTED according to chkrootkit
I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and
noticed that chfn, date, and chsh showed as being
infected. I remember reading post from the past that
right now chkrootkit is giving alot of false
positives, so I suspected that these 3 binaries are
not bad.
However, to be on the safe side, I deleted the 3
binaries, removed /usr/src and did a 'make world' to
4.10-STABLE.
But, chfn,
2003 Aug 14
2
chkrootkit reports INFECTED :(
Hi!
Running chkrootkit on newly installed FreeBSD 5.0 got:
-cut-
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... INFECTED
Checking `chsh'... INFECTED
Checking `cron'... not infected
Checking `date'... INFECTED
-cut-
Checking `ls'... INFECTED
-cut-
Checking `ps'... INFECTED
Checking `pstree'... not found
-cut-
What does it
2003 Nov 12
1
really clean install?
Good evening, I was finish the FreeBSD4.9 installation from CD, and only do some edit with the /etc/rc.firewall, /etc/rc.conf, /boot/defaults/loader.conf, and recompiling the kernel to support my ext2 backup harddisk, with sndcard support too.
This's a old laptop (ibm380z), i have chkrootkit warning after all finished, i attached my uname -a, dmesg, pkg_info and chkrootkit result, please
2009 Dec 18
3
Security advice, please
I run chkrootkit daily. For the first time I've got reports of a problem -
Checking `bindshell'... INFECTED (PORTS: 1008)
The page http://fatpenguinblog.com/scott-rippee/checking-bindshell-infected-
ports-1008/ suggests that this might be a false positive, so I ran 'netstat -
tanup' but unlike the report, it wasn't famd on the port. It was
tcp 0 0 0.0.0.0:1008
2004 Aug 10
0
freebsd-security Digest, Vol 72, Issue 2
-----------------------------------------------------------------
Doesnt all this belong somewhere else besides the security lists
since this isnt a security issue.
-----------------------------------------------------------------
On Tue, 10 Aug 2004 freebsd-security-request@freebsd.org wrote:
> Send freebsd-security mailing list submissions to
> freebsd-security@freebsd.org
>
> To
2003 May 09
5
Hacked?
This morning, I noticed in my security email, that my entire /usr/bin
directory had setuid diff's set on them.
I think I've been hacked. So I installed chkrootkit from ports and ran
it. It showed not infected for everything,
except NETSTAT. NETSTAT showed infected...
I ran chkrootkit for another machine (at my office), and it showed not
infected for everything.
Both machines are
2003 Sep 10
1
chkrotkit 4.1 and FreeBSD 4.5
Hello!
I've found that on two FreeBSD 4.5-RELEASE boxes chkrootkit finds:
Checking `chfn'... INFECTED
Checking `chsh'... INFECTED
Checking `date'... INFECTED
Checking `ls'... INFECTED
Checking `ps'... INFECTED
recompiling, say, ls from souces didn't help. False positive or source changed as well?
--
Alex.
2003 Oct 01
3
chkrootkit 0.42 & 4.7-REL... "[: -ne: argument expected".... huh?
Good morning all;
Whils't running chkrootkit 0.42 on one of my 4.7-REL boxen it reported :
<snip>
Checking 'biff'...not infected
]: not found
[: -ne: argument expected
Checking 'chfn'...not infected
]: not found
[: -ne: argument expected
<snip>
I've been unable to locate any information ref. the " ]: not found " and "
[: -ne: argument
2003 Aug 24
2
[solution] chkrootkit reports infected files
Hey all,
I've submitted a fix for chkrootkit port, to solve the
false positives on FreeBSD 5 and higher:
http://www.freebsd.org/cgi/query-pr.cgi?pr=55919
The topic, btw, should be "Teach security/chkrootkit
about FreeBSD 5", but it's not my first typo today.
Maintainer, please approve.
Authors, please see if you can include the changes.
I also fixed a minor bug in chk_vdir.
2005 Jan 11
3
Think someone has got into my server...
I have just run chkrootkit on my server and have the following two
suspicious entries..
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
and further down..
Checking `bindshell'... INFECTED (PORTS: 465)
Anyone have any advice for getting rid of it??
Later..