similar to: weird problem with chkrootkit and checksums

Running freeBSD 6.1 After changing chkrootkit to the latest version V. 0.47 and compiling it then running it I get the following: ==================<SNIPPIT>================ Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... INFECTED (PORTS: 6667) Checking `lkm'... You have 131 process hidden for readdir

How can I be sure if it is LKM or not? Today I've run chkrootkit and it gave me: Checking `lkm'... You have 179 process hidden for readdir command You have 179 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root

My machine got hacked a few days ago through the samba bug. I reinstalled everything cvsuped src-all, and ran chkrootkit. No more LKM but still... Can anyone please advise ? bash-2.05b# chkrootkit | grep INFECTED Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED -- Jay -------------- next

Hi expeRts, I would like to calculate weighted mean by two factors. My code is as follows: R> tmp <- by(re$meta.sales.lkm[, c("pc", "sales")], re$meta.sales.lkm[, c("size", "yr")], function(x) weighted.mean(x[,1], x[,2])) The result is as follows: R> tmp size: micro yr: 1994 [1] 1.090

Hi all again, I must add, there are no log entries after June 9, 2004. "LKM" message first apeared June 8, 2004, after this day, there is nothing in /var/messages, /var/security ..... How could I look for suspicious LKM module ? How could I find it, if the machine is hacked and I can not believe "ls", "find" etc. commands ? Peter Rosa

Hi, I have a 4.9-STABLE FreeBSD box apparently hacked! Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. Those are: chfn ... INFECTED chsh ... INFECTED date ... INFECTED ls ... INFECTED ps ... INFECTED But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED. I know by the FreeBSD-Security archives that

Ok, I've googled for 15+ minutes, and have yet to find a usable answer, so I'm going to annoy everyone and ask here. I have, in my posession, a creative VoIP blaster. I have installed the fobbit LKM and I can see the device. Can I use it with asterisk in any meaningful way, shape, or form? I'd love to be able to buy an IP phone, ATA, or FXO card, but lack the funds at the moment

I am not sure if I had a compromise but I am not sure I wanted some other input. I noticed in this in my daily security run output: pc1 setuid diffs: 19c19 < 365635 -rwsr-xr-x 1 root wheel 204232 Sep 27 21:23:19 2003 /usr/X11R6/bin/xscreensaver --- > 365781 -rwsr-xr-x 1 root wheel 205320 Dec 4 07:55:59 2003 /usr/X11R6/bin/xscreensaver It was the only file listed and I didn't

Hello everyone, I want to get a 1km by lkm grid raster image using my csv data. If I call latitude=a, longitude=b and preciptation=c. a<-(1,2,3,4,5) b<-(6,7,8,9,10) c<-(10,20, 30,40, 50) Then I found an example in r help which goes like pts = read.table("file.csv",......) library(sp) library(rgdal) proj4string(pts)=CRS("+init=epsg:4326") # set it to lat-long pts =

> > >Date: Sat, 12 Jun 2004 13:15:33 +0200 >From: "Peter Rosa" <prosa@pro.sk> >Subject: Hacked or not ? >To: "FreeBSD Security" <freebsd-security@freebsd.org> >Message-ID: <016301c4506e$947644e0$3501a8c0@pro.sk> > >Hi all, > >please advice me - I was on holidays for one week. After return I found in >security mails from

I am inquiring on the list if anybody knows if the latest plus kernel includes the fixes for MD RAID-1 where it didn't pass down the BIO_RW_SYNC flag on cloned bios. This bug was discovered in December by the DRBD project and patches were posted by Lars Ellenberg from that project to the LKM which were then merged into the 2.6.19 kernel. The bug causes severe performance penalties for

Hello, I recently did a 'make world' to update my base system due to the realpath bug. After that finished, I noticed that I still had the following statically compiled binaries laying around that did not get updated during a 'make world'. I track 4-STABLE. /usr/bin/miniperl /sbin/mount_kernfs /sbin/mount_devfs /sbin/modunload /sbin/modload /sbin/ft /stand/boot_crunch /stand/find

> Date: Sat, 29 Oct 2005 07:34:28 -0700 > From: Colin Percival <cperciva@freebsd.org> > Subject: Re: Is the server portion of freebsd-update open source? > To: markzero <mark@darklogik.org> > Cc: freebsd-security@freebsd.org > Message-ID: <43638874.2020004@freebsd.org> > Content-Type: text/plain; charset=ISO-8859-1 > > markzero wrote: > > No this

Hey all, I've submitted a fix for chkrootkit port, to solve the false positives on FreeBSD 5 and higher: http://www.freebsd.org/cgi/query-pr.cgi?pr=55919 The topic, btw, should be "Teach security/chkrootkit about FreeBSD 5", but it's not my first typo today. Maintainer, please approve. Authors, please see if you can include the changes. I also fixed a minor bug in chk_vdir.

Hi! Running chkrootkit on newly installed FreeBSD 5.0 got: -cut- Checking `basename'... not infected Checking `biff'... not infected Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `cron'... not infected Checking `date'... INFECTED -cut- Checking `ls'... INFECTED -cut- Checking `ps'... INFECTED Checking `pstree'... not found -cut- What does it

Has anyone else seen chkrootkit (version 0.43) on 4.10-prerelease or later report chfn, chsh, and date as infected? I built world yesterday, and my nightly chkrootkit reports this on run. I've replaced the binaries with their 4.9 equivalents, and things don't report as infected. I upgrade the 4.9 machine to 4.10, and chkrootkit reports them as infected again. Is this similar to the

I've read about securelevel in the mailing list archive, and found some pitfalls (and seems to me to be discarded soon). But According to me, the following configuration should offer a good security: - mount root fs read only at boot; - set securelevel to 3; - do not permit to unmount/remount roots fs read-write (now it is possible by means of "mount -uw /"); - the only way to make

Good morning all; Whils't running chkrootkit 0.42 on one of my 4.7-REL boxen it reported : <snip> Checking 'biff'...not infected ]: not found [: -ne: argument expected Checking 'chfn'...not infected ]: not found [: -ne: argument expected <snip> I've been unable to locate any information ref. the " ]: not found " and " [: -ne: argument

Hello, Please, don't use chkrootkit 0.46 on production machines. The "chkproc" process sends a SIGXFSZ (25) signal to init, that interprets this signal as a "disaster" and reboots after a 30s sleep. I'm contacting the chkrootkit maintainer to fix this problem. Sorry, Cordeiro

I'm currently administering a machine about 1500mi from me with nobody local to the machine to assist me. Anyways, my only access to this machine is via SSH, no remote serial console or anything. When I try to do a "make installworld" I end up with install: rename: /lib/INS@aTxk to /lib/libcrypt.so.3: Operation not permitted very shortly thereafter. I cannot boot