On Wed, 18 Aug 2004 05:11:02 -0700 (PDT)
probsd org <prob...@yahoo.com> wrote:
I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and
noticed that chfn, date, and chsh showed as being
infected. I remember reading post from the past that
right now chkrootkit is giving alot of false
positives, so I suspected that these 3 binaries are
However, to be on the safe side, I deleted the 3
binaries, removed /usr/src and did a 'make world' to
But, chfn, cfsh, and date are stilling showing as
Is my assumption that I am seeing a false positive
correct, or anyone know of an exploit that would
affect these 3 binaries ( and even after a 'make
world' from clean src )?
These are false positives. I had this showing on a box of mine
(chkrootkit-0.43). And What I did was remove the binarys and resync'ed my source
and did a new build.
But still, you can only be sure if you trust you CVS checkout.
I have found it rather annyoing not have'ing checksums of each and every file
in /usr/src. And having a "secure" (man-in-the-middle attack, etc comes in mind)
way of optaining the checksum file.( A good shell script could verify the
checkout and you could sleep easy ;)
Do correct me about the checksums if I'm wrong.
As far as the laws of mathematics refer to reality, they are not
certain, and as far as they are certain, they do not refer to reality.
-- Albert Einstein