Bob Proulx wrote (Sat 30-Mar-2002, 12:01:54 -0700) > Jim is away from his keyboard for a few days. In lieu of his > authoritative answers let me provide some information. > > > ** sh-utils-2.0 > > ** chkrootkit-0.35 (chkrootkit.org) > > > > 'chkrootkit' says that 'date' (sh-utils) contains a rootkit. Is this a > > false positive or not? > > Since the GNU utilities are core to many flavors of operating systems > they are prime targets for a cracker to attack. Therefore it is not > impossible that your rootkit detection software may have found a real > rootkit on a version of the file that you have for sh-utils. > > But you did not say where you obtained your file. I was not able to > recreate your check using the official release bits. The official > location for released versions sh-utils is at: > > ftp://ftp.gnu.org/gnu/sh-utils/ > > At this time sh-utils is in need of a new release. Probably the best > versions are the testing versions which are located here. I recommend > using sh-utils-2.0.11.tar.gz located here. > > ftp://alpha.gnu.org/gnu/shellutils/ > > And, of course, the main web page is here with more general > information. > > http://www.gnu.org/software/shellutils/ > > Since I don't have the original announcements I can't vouch for the > official release signatures. But I do have a copy of 2.0 dated 'Sun > Aug 15 14:45:37 1999' which is when I downloaded that file from the > ftp.gnu.org site. I just downloaded a fresh copy and it bit compared > exactly to the old copy I had laying around. Here are my cksum values > which you could use to compare to your possibly compromised files. > > 5e78d1d48ca563ca77e96b22406c4aaf sh-utils-2.0.tar.gz > a2970bb68eafc4b35f44e8121390adb44409067c sh-utils-2.0.tar.gz > > I did not examine chkrootkit in detail. But it is possible that it is > creating a false positive due to the nature of the shell utils code. > GNU shell utilities includes 'su' among others. If chkrootkit is > looking for C code that manipulates user id environments and such then > it would certainly be triggered by the code in su.c and other programs > in the utilities or by other indications that a user is intending to > replace system utilities. But since that is exactly what the > utilities do this is probably confusing chkrootkit. > > To the best of my knowledge, those utilities do not contain a > rootkit. If you conclude otherwise please do not hesitate to bring > this to the attention of the list. > > Bob
Well: halas, sad point, I don't remember from where exactly I have downloaded sh-utils. (Something that I will change for sure.) I often use mirrors: Korea, Japan, Thailand, Australia, China; but not always: sometimes it's from the US. Plus, all but Thailand have many sites; I could also not say from which one exactly per country. On the other hand, the md5sum of my sh-utils-2.0.tar.gz is the same as the one that you have indicated: 5e78d1d48ca563ca77e96b22406c4aaf. (Perhaps there are a few more chances that it's a false positive indeed.) It would be nice to use public keys, and sign the software. I am in contact with Nelson Murilo <[EMAIL PROTECTED]>, who is looking if it's a false positive or not. Let me know if you want to see the details of the correspondence. /Roy Lanek _______________________________________________ Bug-sh-utils mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/bug-sh-utils
