Hi!
My system: new installed FreeBSD 7.1, KDE 3.5.10
I ran chkrootkit and I got:
...
Checking `sshd'... /usr/bin/strings: Warning: '/' is not an ordinary file
...
...
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... Possible t0rn v8
On Wed, Jan 28, 2009 at 5:13 PM, ajtiM lum...@gmail.com wrote:
Hi!
My system: new installed FreeBSD 7.1, KDE 3.5.10
I ran chkrootkit and I got:
...
Checking `sshd'... /usr/bin/strings: Warning: '/' is not an ordinary file
...
...
Searching for t0rn's default files and dirs
Glen Barber wrote:
On Wed, Jan 28, 2009 at 5:13 PM, ajtiM lum...@gmail.com wrote:
Hi!
My system: new installed FreeBSD 7.1, KDE 3.5.10
I ran chkrootkit and I got:
...
Checking `sshd'... /usr/bin/strings: Warning: '/' is not an ordinary file
...
...
Searching for t0rn's default
On Wednesday 28 January 2009 16:30:54 Glen Barber wrote:
On Wed, Jan 28, 2009 at 5:13 PM, ajtiM lum...@gmail.com wrote:
Hi!
My system: new installed FreeBSD 7.1, KDE 3.5.10
I ran chkrootkit and I got:
...
Checking `sshd'... /usr/bin/strings: Warning: '/' is not an ordinary
On Wednesday 28 January 2009 16:40:51 Eitan Adler wrote:
Glen Barber wrote:
On Wed, Jan 28, 2009 at 5:13 PM, ajtiM lum...@gmail.com wrote:
Hi!
My system: new installed FreeBSD 7.1, KDE 3.5.10
I ran chkrootkit and I got:
...
Checking `sshd'... /usr/bin/strings: Warning
ajtiM said:
I red and supposed to be libproc.a problem
I don't have experience with the chkrootkit and it is not clear for me where
it found a rootkit: which file, dir...
The link Eitan posted is very clear. It is (most likely) a false alarm.
--
Glen Barber
On Wednesday 28 January 2009 19:04:27 Glen Barber wrote:
ajtiM said:
I red and supposed to be libproc.a problem
I don't have experience with the chkrootkit and it is not clear for me
where it found a rootkit: which file, dir...
The link Eitan posted is very clear. It is (most likely
disturbed
with a line Checking `date'... INFECTED
# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not infected
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date
/.
Has started, and has received below resulted result. I am disturbed
with a line Checking `date'... INFECTED
# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not infected
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... not infected
Checking
.
I have loaded program stock-takings rootkit from a site
http://www.chkrootkit.org/.
Has started, and has received below resulted result. I am disturbed
with a line Checking `date'... INFECTED
# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not infected
Checking `basename
Hi all,
Now, on top of the time error i was receiving (earlier post last week), I
am now getting:
Checking `z2'... chklastlog in malloc(): error: recursive call
Abort trap (core dumped)
After running chkrootkit. Can someone help me understand z2 and why I'm
getting all these errors
On Wed, Oct 19, 2005 at 03:42:46PM -0400, Matt Juszczak wrote:
Hi all,
Now, on top of the time error i was receiving (earlier post last week), I
am now getting:
Checking `z2'... chklastlog in malloc(): error: recursive call
Abort trap (core dumped)
After running chkrootkit. Can
Paul Schmehl [EMAIL PROTECTED] writes:
Out of curiosity more than anything else, I installed chkrootkit on a
server I maintain and ran it. It returned this:
Checking `bindshell'... INFECTED (PORTS: 465)
I'm running smtps on that server, so this is apparently a false
positive. Has
Out of curiosity more than anything else, I installed chkrootkit on a
server I maintain and ran it. It returned this:
Checking `bindshell'... INFECTED (PORTS: 465)
I'm running smtps on that server, so this is apparently a false positive.
Has anyone else seen this?
Paul Schmehl ([EMAIL
Hi all,
Got the following line in recent check root kits:
Checking `z2'... Remaining time: 51480.00 seconds chklastlog: nothing deleted
Not sure what it means... it usually just says chklastlog: nothing
deleted. Should this be a cause for concern? A search of google yielded
little to no
I just installed and ran the chkrootkit port on my 5.2.1-RELEASE-p5
system. It says my date command is infected. Nothing else, just that.
How can I determine if this is a false positive or if I'm truly hacked?
-ste
___
[EMAIL PROTECTED
On Thu, May 13, 2004 at 03:25:44PM -0400, Shaun T. Erickson wrote:
I just installed and ran the chkrootkit port on my 5.2.1-RELEASE-p5
system. It says my date command is infected. Nothing else, just that.
How can I determine if this is a false positive or if I'm truly hacked?
Talk
Hello,
I just ran chkrootkit -n -q on a 5.2.1 box, and it showed date as being
infected, but nothing else, no worms, and it didn't say with what. Given my
last experience i would appreciate any suggestions as to how to identify
this anomaly and stop it.
Thanks.
Dave
Hello,
I just ran chkrootkit -n -q on a 5.2.1 box, and it showed date as being
infected, but nothing else, no worms, and it didn't say with what. Given my
last experience i would appreciate any suggestions as to how to identify
this anomaly and stop it.
Thanks.
Dave
On Wed, Apr 14, 2004 at 12:29:19PM -0700, Mike wrote:
Well... I installed and ran chkrootkit. And the output shows that:
Checking `chfn'... INFECTED
Checking `chsh'... INFECTED
Checking `date'... INFECTED
Checking `ls'... INFECTED
Checking `ps'... INFECTED
No rootkits were found
systems, but that could just be my memory failing.
http://lists.freebsd.org/pipermail/freebsd-security/2003-August/000755.html
For the rest of the traffic look at:
http://www.google.co.uk/search?hl=enie=UTF-8oe=UTF-8safe=offq=site%3Alists.freebsd.org+chkrootkit+chfn+INFECTEDbtnG
Greetings:
My test system:
FreeBSD 4.9-stable
Pentium III 800
I read an earlier post about using chkrootkit to check for root kits
(intrusions). I'm still learning about FreeBSD so I thought I would run
this too.
Well... I installed and ran chkrootkit. And the output shows that:
Checking
On Wed, Apr 14, 2004, Mike clacked the keyboard to produce:
Greetings:
My test system:
FreeBSD 4.9-stable
Pentium III 800
I read an earlier post about using chkrootkit to check for root kits
(intrusions). I'm still learning about FreeBSD so I thought I would run
this too.
Well
Jeff Maxwell wrote:
upgrade your ports. The chkrootkit that ships with 4.9 gives false
positives
Jeff:
Thanks for the tip.
I deinstalled the chkrootkit (v-4.1) that came with 4.9. I then
downloaded and installed the most recent version (v-4.3) from the
chkrootkit.org site.
I re-ran
Hello all,
On Wed, Apr 14, 2004 at 02:11:34PM -0700 or thereabouts, Mike wrote:
Jeff Maxwell wrote:
upgrade your ports. The chkrootkit that ships with 4.9 gives false
positives
I'm using chrootkit from fresh ports update (v4.3). Results are as:
System 1 on 4.9-STABLE:
nothing
Since there have already been a couple of questions on this I thought I'd
see if anyone could shed some light on something I've noticed since I
started running chkrootkit. It runs every 15 minutes (overkill? Nah.) in
quiet mode to cut down on noise in the logs, and sporadically I get
Since there have already been a couple of questions on this I thought
I'd
see if anyone could shed some light on something I've noticed since I
started running chkrootkit. It runs every 15 minutes (overkill? Nah.) in
quiet mode to cut down on noise in the logs, and sporadically I get
Since there have already been a couple of questions on this I thought I'd
see if anyone could shed some light on something I've noticed since I
started running chkrootkit. It runs every 15 minutes (overkill? Nah.) in
quiet mode to cut down on noise in the logs, and sporadically I get
On Fri, Aug 15, 2003 at 09:50:53AM +0400, Mikhail E. Zakharov wrote:
Hi!
Running chkrootkit on newly installed FreeBSD 5.0 got:
FAQ. Consult the archives.
Kris
pgp0.pgp
Description: PGP signature
Hi!
Running chkrootkit on newly installed FreeBSD 5.0 got:
-cut-
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... INFECTED
Checking `chsh'... INFECTED
Checking `cron'... not infected
Checking `date'... INFECTED
-cut-
Checking `ls'... INFECTED
-cut-
Checking
I have the following listed as INFECTED:
Checking `chfn'... INFECTED
Checking `chsh'... INFECTED
Checking `date'... INFECTED
Checking `ls'... INFECTED
Checking `ps'... INFECTED
Does anyone have the same output?
---
Lou
___
[EMAIL PROTECTED] mailing
On Thu, Jun 26, 2003 at 02:02:19AM -0700, Tak Pui LOU wrote:
I have the following listed as INFECTED:
Checking `chfn'... INFECTED
Checking `chsh'... INFECTED
Checking `date'... INFECTED
Checking `ls'... INFECTED
Checking `ps'... INFECTED
Does anyone have the same output?
FAQ..please
I read about this before. But, I just updated the port source tree and did
a portupgrade. These programs are still listed as INFECTED. So, my
question should be if these have been fixed or someone is really messing
with my system.
---
Lou
On Thu, 26 Jun 2003, Kris Kennaway wrote:
On Thu, Jun
On Thu, Jun 26, 2003 at 02:14:45AM -0700, Tak Pui LOU wrote:
I read about this before. But, I just updated the port source tree and did
a portupgrade. These programs are still listed as INFECTED. So, my
question should be if these have been fixed or someone is really messing
with my system.
Is there a problem with 'chkrootkit-0.40' on 5.x? It tells me that some of
the files are infected (I know for a fact that they're not)..
Files reported as infected:
/usr/bin/chfn
/usr/bin/chsh
/bin/date
/bin/ls
/bin/ps
localhost# uname -a
FreeBSD localhost.tuxsux.org 5.1-RELEASE FreeBSD 5.1
On Fri, Jun 06, 2003 at 11:21:47AM -0700 or thereabouts, [EMAIL PROTECTED] seemed to
write:
Is there a problem with 'chkrootkit-0.40' on 5.x? It tells me that some of
the files are infected (I know for a fact that they're not)..
Files reported as infected:
/usr/bin/chfn
/usr/bin/chsh
/bin
On Thu, 13 Feb 2003, Todd Zimmermann wrote:
Was wondering if anyone else has gotten positives on a rather vague lkm
trojan when running chkrootkit on 5.0-release p1 ?
Yes. And verified it was a false positive by checking with a few other
people.
Thinking its probably just the port not being
On Thu, Feb 13, 2003 at 02:39:04AM -0500, Todd Zimmermann wrote:
Was wondering if anyone else has gotten positives on a rather vague lkm
trojan when running chkrootkit on 5.0-release p1 ?
By definition chkrootkit can only ever use guesswork, and will
occasionally produce false positives
Was wondering if anyone else has gotten positives on a rather vague lkm
trojan when running chkrootkit on 5.0-release p1 ?
I ran it occasionally on 4.7 stable and it never found anything.
It's reporting chfn, chsh, date, ls, and ps as infected and a possible
lkm trojan being loaded, plus 8-12
Greetings,
I'd like to thank all who replied, the advice and suggestions were valuable
and appreciated, not to mention timely!
It looks like it was a false positive. I ran netstat from cd, new
chkrootkit compiled on a clean machine, and nmap remotely. It also made
sense to mount / (-ro) from
and max.vnodes to 16384. As the system
my kern.maxfiles is set to: 65536 and max.vnodes to 8662
and try to set up /etc/login.conf see: man login.conf and all section of files :)
for users
started to recover for fun I ran chkrootkit which came back with this:
try compile lsof is better for ports
Hi all,
I could sure use some help interpreting this. I guess I'd like to know if
chkrootkit could give a false positive under a file table full condition?
A 4.6.2-RELEASE-p2 system (running bind 8.3.3-REL and sendmail 8.12.3)
started getting syslog messages like:
/kernel: file: table is full
42 matches
Mail list logo