Re: chkrootkit V. 0.47
--nextPart2161170.EXYidJLSFf
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Tuesday 20 November 2007 16:41:52 JP wrote:
> Running freeBSD 6.1
>
> After changing chkrootkit to the latest version V. 0.47 and compiling it
> then running it I get the following:
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<SNIPPIT>=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Searching for anomalies in shell history files... nothing found
> Checking `asp'... not infected
> Checking `bindshell'... INFECTED (PORTS: 6667)
> Checking `lkm'... You have 131 process hidden for readdir command
> chkproc: Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'... vr0 is not promisc
> Checking `w55808'... not infected
> Checking `wted'... chkwtmp: nothing deleted
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</SNIPPIT>=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> Looking above, the above shows a few anomalies like the bindshell ...
> INFECTED (PORTS: 6667)
> --and--
> Checking `lkm'... You have 131 process hidden for readdir command
> chkproc: Warning: Possible LKM Trojan installed
>
> I do run an IRCd, and also YABB Message board along with APACHE web
> server - would the above then be normal output, and what about the lkm?
> Many thanks to those with more experience in this area.
>
Such tools is known to trigger false positives sometimes. I'd recommend to=
=20
play with some additional utilities like lsof. In case of bindshell try to=
=20
find processes that was executed from world writable directories such=20
as /tmp. Try to shutdown httpd and other daemons and see if any of them=20
still running.=20
=2D-=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20
=2D Best regards, Nikolay Pavlov. <<<----------------------------------- =
=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20
--nextPart2161170.EXYidJLSFf
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQBHQxLo/2R6KvEYGaIRAgO6AKCdyt/Xb48JwvriybSNgI39ZWkdzgCg6pXz
m6qVgmTeYbFrT4eNokrTLmc=
=6PRK
-----END PGP SIGNATURE-----
--nextPart2161170.EXYidJLSFf--
討論串 (同標題文章)