chfn, date, chsh INFECTED according to chkrootkit - Thordur Ivar B. - org.freebsd.freebsd-security

8 messages in org.freebsd.freebsd-securitychfn, date, chsh INFECTED according t...

From	Sent On	Attachments
probsd org	Aug 18, 2004 5:20 am
Thordur Ivar B.	Aug 18, 2004 7:24 am
Nicolas Rachinsky	Aug 18, 2004 7:49 am
Giorgos Keramidas	Aug 18, 2004 7:53 am
Tommy K	Aug 18, 2004 8:56 am
Thordur Ivar B.	Aug 18, 2004 9:23 am
Matt Piechota	Aug 18, 2004 9:45 am
Thordur Ivar B.	Aug 18, 2004 11:37 am

Subject:	chfn, date, chsh INFECTED according to chkrootkit
From:	Thordur Ivar B. (th...@mi.is)
Date:	Aug 18, 2004 7:24:47 am
List:	org.freebsd.freebsd-security

On Wed, 18 Aug 2004 05:11:02 -0700 (PDT) probsd org <prob...@yahoo.com> wrote:

I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and noticed that chfn, date, and chsh showed as being infected. I remember reading post from the past that right now chkrootkit is giving alot of false positives, so I suspected that these 3 binaries are not bad.

However, to be on the safe side, I deleted the 3 binaries, removed /usr/src and did a 'make world' to 4.10-STABLE.

But, chfn, cfsh, and date are stilling showing as infected.

Is my assumption that I am seeing a false positive correct, or anyone know of an exploit that would affect these 3 binaries ( and even after a 'make world' from clean src )?

These are false positives. I had this showing on a box of mine (chkrootkit-0.43). And What I did was remove the binarys and resync'ed my source and did a new build.

But still, you can only be sure if you trust you CVS checkout. I have found it rather annyoing not have'ing checksums of each and every file in /usr/src. And having a "secure" (man-in-the-middle attack, etc comes in mind) way of optaining the checksum file.( A good shell script could verify the checkout and you could sleep easy ;)

Do correct me about the checksums if I'm wrong.

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets