On Wed, Apr 14, 2004 at 12:29:19PM -0700, Mike wrote: > Well... I installed and ran chkrootkit. And the output shows that: > > Checking `chfn'... INFECTED > Checking `chsh'... INFECTED > Checking `date'... INFECTED > Checking `ls'... INFECTED > Checking `ps'... INFECTED > > No rootkits were found.
> Question: Does chkrootkit ever generate false positives? In a word: yes. This was something that was quite a popular question on this list some months back around the time of one of the earlier 5.x releases. I don't remember anyone mentioning this in the context of 4.9 or earlier systems, but that could just be my memory failing. http://lists.freebsd.org/pipermail/freebsd-security/2003-August/000755.html For the rest of the traffic look at: http://www.google.co.uk/search?hl=en&ie=UTF-8&oe=UTF-8&safe=off&q=site%3Alists.freebsd.org+chkrootkit+chfn+INFECTED&btnG=Search&meta= (Nb. chkrootkit has since been fixed to work correctly under 5.x) However see this: http://lists.freebsd.org/pipermail/freebsd-ports/2004-April/011362.html Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp00000.pgp
Description: PGP signature