Jim is away from his keyboard for a few days. In lieu of his authoritative answers let me provide some information.
> ** sh-utils-2.0 > ** chkrootkit-0.35 (chkrootkit.org) > > 'chkrootkit' says that 'date' (sh-utils) contains a rootkit. Is this a > false positive or not? Since the GNU utilities are core to many flavors of operating systems they are prime targets for a cracker to attack. Therefore it is not impossible that your rootkit detection software may have found a real rootkit on a version of the file that you have for sh-utils. But you did not say where you obtained your file. I was not able to recreate your check using the official release bits. The official location for released versions sh-utils is at: ftp://ftp.gnu.org/gnu/sh-utils/ At this time sh-utils is in need of a new release. Probably the best versions are the testing versions which are located here. I recommend using sh-utils-2.0.11.tar.gz located here. ftp://alpha.gnu.org/gnu/shellutils/ And, of course, the main web page is here with more general information. http://www.gnu.org/software/shellutils/ Since I don't have the original announcements I can't vouch for the official release signatures. But I do have a copy of 2.0 dated 'Sun Aug 15 14:45:37 1999' which is when I downloaded that file from the ftp.gnu.org site. I just downloaded a fresh copy and it bit compared exactly to the old copy I had laying around. Here are my cksum values which you could use to compare to your possibly compromised files. 5e78d1d48ca563ca77e96b22406c4aaf sh-utils-2.0.tar.gz a2970bb68eafc4b35f44e8121390adb44409067c sh-utils-2.0.tar.gz I did not examine chkrootkit in detail. But it is possible that it is creating a false positive due to the nature of the shell utils code. GNU shell utilities includes 'su' among others. If chkrootkit is looking for C code that manipulates user id environments and such then it would certainly be triggered by the code in su.c and other programs in the utilities or by other indications that a user is intending to replace system utilities. But since that is exactly what the utilities do this is probably confusing chkrootkit. To the best of my knowledge, those utilities do not contain a rootkit. If you conclude otherwise please do not hesitate to bring this to the attention of the list. Bob _______________________________________________ Bug-sh-utils mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/bug-sh-utils
