chkrootkit
Hi! My system: new installed FreeBSD 7.1, KDE 3.5.10 I ran chkrootkit and I got: ... Checking `sshd'... /usr/bin/strings: Warning: '/' is not an ordinary file ... ... Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed... I ran rkhunter -c also and on the end I have: System checks summary = File properties checks... Required commands check failed Files checked: 103 Suspect files: 0 Rootkit checks... Rootkits checked : 77 Possible rootkits: 0 Applications checks... Applications checked: 4 Suspect applications: 0 I am confused about chkrootkit and the line: Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed... Thanks in advance. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chkrootkit
On Wed, Jan 28, 2009 at 5:13 PM, ajtiM lum...@gmail.com wrote: Hi! My system: new installed FreeBSD 7.1, KDE 3.5.10 I ran chkrootkit and I got: ... Checking `sshd'... /usr/bin/strings: Warning: '/' is not an ordinary file ... ... Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed... Have you properly updated chrootkit? If so, it appears you have a rootkit on your system. How old is the installation? -- Glen Barber ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chkrootkit
Glen Barber wrote: On Wed, Jan 28, 2009 at 5:13 PM, ajtiM lum...@gmail.com wrote: Hi! My system: new installed FreeBSD 7.1, KDE 3.5.10 I ran chkrootkit and I got: ... Checking `sshd'... /usr/bin/strings: Warning: '/' is not an ordinary file ... ... Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed... Have you properly updated chrootkit? If so, it appears you have a rootkit on your system. How old is the installation? I think this post [1] might be relevant from the debian mailing list. [1] http://lists.debian.org/debian-user/2001/12/msg02253.html -- Eitan Adler Security is increased by designing for the way humans actually behave. -Jakob Nielsen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chkrootkit
On Wednesday 28 January 2009 16:30:54 Glen Barber wrote: On Wed, Jan 28, 2009 at 5:13 PM, ajtiM lum...@gmail.com wrote: Hi! My system: new installed FreeBSD 7.1, KDE 3.5.10 I ran chkrootkit and I got: ... Checking `sshd'... /usr/bin/strings: Warning: '/' is not an ordinary file ... ... Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed... Have you properly updated chrootkit? If so, it appears you have a rootkit on your system. How old is the installation? I installed chkrootkit from the ports and I have FreeBSD 7.1 about one week and just FreeBSD is on computer. Fresh installation and IMO I visited just safe web pages. I have a desktop computer, cable Internet. I have Skype installed but I didn't use yet. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chkrootkit
On Wednesday 28 January 2009 16:40:51 Eitan Adler wrote: Glen Barber wrote: On Wed, Jan 28, 2009 at 5:13 PM, ajtiM lum...@gmail.com wrote: Hi! My system: new installed FreeBSD 7.1, KDE 3.5.10 I ran chkrootkit and I got: ... Checking `sshd'... /usr/bin/strings: Warning: '/' is not an ordinary file ... ... Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed... Have you properly updated chrootkit? If so, it appears you have a rootkit on your system. How old is the installation? I think this post [1] might be relevant from the debian mailing list. [1] http://lists.debian.org/debian-user/2001/12/msg02253.html I red and supposed to be libproc.a problem I don't have experience with the chkrootkit and it is not clear for me where it found a rootkit: which file, dir... Thanks. . ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chkrootkit
ajtiM said: I red and supposed to be libproc.a problem I don't have experience with the chkrootkit and it is not clear for me where it found a rootkit: which file, dir... The link Eitan posted is very clear. It is (most likely) a false alarm. -- Glen Barber ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chkrootkit
On Wednesday 28 January 2009 19:04:27 Glen Barber wrote: ajtiM said: I red and supposed to be libproc.a problem I don't have experience with the chkrootkit and it is not clear for me where it found a rootkit: which file, dir... The link Eitan posted is very clear. It is (most likely) a false alarm. Thank you very much, Ethan and Glen :). Yes, it is false alarm :). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
chkrootkit
Ні, questions! I badly know english, beforehand I apologize for the illiteracy. I ask the help you in the decision of my problem. I have loaded program stock-takings rootkit from a site http://www.chkrootkit.org/. Has started, and has received below resulted result. I am disturbed with a line Checking `date'... INFECTED # ./chkrootkit ROOTDIR is `/' Checking `amd'... not infected Checking `basename'... not infected Checking `biff'... not infected Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... INFECTED Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not infected Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not found Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not tested Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not found Checking `mail'... not infected Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not found Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not found Checking `rpcinfo'... not infected Checking `rlogind'... not infected Checking `rshd'... not infected Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not infected Checking `timed'... not infected Checking `traceroute'... not infected Checking `vdir'... not found Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... nothing found Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for OBSD rk v1... nothing found Searching for LOC rootkit ... nothing found Searching for Romanian rootkit ... nothing found Searching for Suckit rootkit ... nothing found Searching for Volc rootkit ... nothing found Searching for Gold2 rootkit ... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... nothing detected Checking `rexedcs'... not found Checking `sniffer'... rl0 is not promisc plip0 is not promisc Checking `w55808'... not infected Checking `wted'... nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... nothing deleted Mine FreeBSD: FreeBSD server.alf-ua.com 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0: Wed Jan1112:41:53GMT2006 root@:/usr/src/sys/i386/compile/kernel_11.01.06 i386 Has come home, has put same FreeBSD on a domestic computer, the same report, Checking `date'... INFECTED How to me to be? It is a mistake of developers of the program or yours? With impatience I wait for your answer. Beforehand thanks
Re: chkrootkit
On Sun, Apr 09, 2006 at 08:39:51PM +0300, Vitaliy K wrote: ??, questions! I badly know english, beforehand I apologize for the illiteracy. I ask the help you in the decision of my problem. I have loaded program stock-takings rootkit from a site http://www.chkrootkit.org/. Has started, and has received below resulted result. I am disturbed with a line Checking `date'... INFECTED # ./chkrootkit ROOTDIR is `/' Checking `amd'... not infected Checking `basename'... not infected Checking `biff'... not infected Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... INFECTED How to me to be? It is a mistake of developers of the program or yours? Most likely the program is wrong, this kind of utility really only makes wild guesses. But you never know, so if you have other reason to believe your system was compromised you should still consider taking action. Kris pgp17h4V9gD1F.pgp Description: PGP signature
Re: chkrootkit
Hi you can use also this port /usr/ports/security/rkhunter after the instalation update the database rkhunter --update rkhunter -c Best regards Michal Kapalka Ні, questions! I badly know english, beforehand I apologize for the illiteracy. I ask the help you in the decision of my problem. I have loaded program stock-takings rootkit from a site http://www.chkrootkit.org/. Has started, and has received below resulted result. I am disturbed with a line Checking `date'... INFECTED # ./chkrootkit ROOTDIR is `/' Checking `amd'... not infected Checking `basename'... not infected Checking `biff'... not infected Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... INFECTED Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not infected Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not found Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not tested Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not found Checking `mail'... not infected Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not found Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not found Checking `rpcinfo'... not infected Checking `rlogind'... not infected Checking `rshd'... not infected Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not infected Checking `timed'... not infected Checking `traceroute'... not infected Checking `vdir'... not found Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... nothing found Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for OBSD rk v1... nothing found Searching for LOC rootkit ... nothing found Searching for Romanian rootkit ... nothing found Searching for Suckit rootkit ... nothing found Searching for Volc rootkit ... nothing found Searching for Gold2 rootkit ... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... nothing detected Checking `rexedcs'... not found Checking `sniffer'... rl0 is not promisc plip0 is not promisc Checking `w55808'... not infected Checking `wted'... nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... nothing deleted Mine FreeBSD: FreeBSD server.alf-ua.com 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0: Wed Jan1112:41:53GMT2006 root@:/usr/src/sys/i386/compile/kernel_11.01.06 i386 Has come home, has put same FreeBSD on a domestic computer, the same report, Checking `date'... INFECTED How to me
More chkrootkit errors
Hi all, Now, on top of the time error i was receiving (earlier post last week), I am now getting: Checking `z2'... chklastlog in malloc(): error: recursive call Abort trap (core dumped) After running chkrootkit. Can someone help me understand z2 and why I'm getting all these errors? Thanks! -Matt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: More chkrootkit errors
On Wed, Oct 19, 2005 at 03:42:46PM -0400, Matt Juszczak wrote: Hi all, Now, on top of the time error i was receiving (earlier post last week), I am now getting: Checking `z2'... chklastlog in malloc(): error: recursive call Abort trap (core dumped) After running chkrootkit. Can someone help me understand z2 and why I'm getting all these errors? Because chkrootkit is, by design, an imprecise and error-prone concept (and apparently not well-written either, from your above application error). Kris pgpl31Ecvp7aL.pgp Description: PGP signature
Re: chkrootkit
Paul Schmehl [EMAIL PROTECTED] writes: Out of curiosity more than anything else, I installed chkrootkit on a server I maintain and ran it. It returned this: Checking `bindshell'... INFECTED (PORTS: 465) I'm running smtps on that server, so this is apparently a false positive. Has anyone else seen this? A *very* quick look at the source makes me think that the check isn't doing much more than checking for the port being open, in which case you're right. If you don't get a more knowledgeable answer from this mailing list, though, you should go to the chkrootkit folks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
chkrootkit
Out of curiosity more than anything else, I installed chkrootkit on a server I maintain and ran it. It returned this: Checking `bindshell'... INFECTED (PORTS: 465) I'm running smtps on that server, so this is apparently a false positive. Has anyone else seen this? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Output of nightly chkrootkit odd...
Hi all, Got the following line in recent check root kits: Checking `z2'... Remaining time: 51480.00 seconds chklastlog: nothing deleted Not sure what it means... it usually just says chklastlog: nothing deleted. Should this be a cause for concern? A search of google yielded little to no help, Thanks! -Matt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
chkrootkit says 'date' is infected
I just installed and ran the chkrootkit port on my 5.2.1-RELEASE-p5 system. It says my date command is infected. Nothing else, just that. How can I determine if this is a false positive or if I'm truly hacked? -ste ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chkrootkit says 'date' is infected
On Thu, May 13, 2004 at 03:25:44PM -0400, Shaun T. Erickson wrote: I just installed and ran the chkrootkit port on my 5.2.1-RELEASE-p5 system. It says my date command is infected. Nothing else, just that. How can I determine if this is a false positive or if I'm truly hacked? Talk to the chkrootkit developers. Their tool provides so many false positives that they're the ones who should be bearing the responsibility for dealing with user confusion :) Kris pgp0.pgp Description: PGP signature
chkrootkit reports infected date
Hello, I just ran chkrootkit -n -q on a 5.2.1 box, and it showed date as being infected, but nothing else, no worms, and it didn't say with what. Given my last experience i would appreciate any suggestions as to how to identify this anomaly and stop it. Thanks. Dave. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chkrootkit reports infected date
Hello, I just ran chkrootkit -n -q on a 5.2.1 box, and it showed date as being infected, but nothing else, no worms, and it didn't say with what. Given my last experience i would appreciate any suggestions as to how to identify this anomaly and stop it. Thanks. Dave. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hey there, If you want to put yourself at ease fet the source for date and compile it. After it's compiled try again. I searched google groups and it seems you may be getting what they call a false positive. HTH ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: False positives from chkrootkit? or hacked test server?
On Wed, Apr 14, 2004 at 12:29:19PM -0700, Mike wrote: Well... I installed and ran chkrootkit. And the output shows that: Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED No rootkits were found. Question: Does chkrootkit ever generate false positives? In a word: yes. This was something that was quite a popular question on this list some months back around the time of one of the earlier 5.x releases. I don't remember anyone mentioning this in the context of 4.9 or earlier systems, but that could just be my memory failing. http://lists.freebsd.org/pipermail/freebsd-security/2003-August/000755.html For the rest of the traffic look at: http://www.google.co.uk/search?hl=enie=UTF-8oe=UTF-8safe=offq=site%3Alists.freebsd.org+chkrootkit+chfn+INFECTEDbtnG=Searchmeta= (Nb. chkrootkit has since been fixed to work correctly under 5.x) However see this: http://lists.freebsd.org/pipermail/freebsd-ports/2004-April/011362.html Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Re: False positives from chkrootkit? or hacked test server?
Hello, thanks for the info :), that explains why my 4.9-STABLE was not infected and 4.10-BETA shows false positives.. But I am still bit unsure why my 5.2.1-RELEASE-p4 (not mentioning one false positive) stops while checking lkm.. Cheers, Martin On Thu, Apr 15, 2004 at 08:29:17AM +0100 or thereabouts, Matthew Seaman wrote: In a word: yes. This was something that was quite a popular question on this list some months back around the time of one of the earlier 5.x releases. I don't remember anyone mentioning this in the context of 4.9 or earlier systems, but that could just be my memory failing. http://lists.freebsd.org/pipermail/freebsd-security/2003-August/000755.html For the rest of the traffic look at: http://www.google.co.uk/search?hl=enie=UTF-8oe=UTF-8safe=offq=site%3Alists.freebsd.org+chkrootkit+chfn+INFECTEDbtnG=Searchmeta= (Nb. chkrootkit has since been fixed to work correctly under 5.x) However see this: http://lists.freebsd.org/pipermail/freebsd-ports/2004-April/011362.html -- Martin Hudec| corwin at aeternal.net | corwin at web.markiza.sk http://www.aeternal.net | cell +421 907 303 393 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
False positives from chkrootkit? or hacked test server?
Greetings: My test system: FreeBSD 4.9-stable Pentium III 800 I read an earlier post about using chkrootkit to check for root kits (intrusions). I'm still learning about FreeBSD so I thought I would run this too. Well... I installed and ran chkrootkit. And the output shows that: Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED No rootkits were found. This FreeBSD system is a test server running Postfix, Samba, Apache, PHP4, MySql, and akpop3. For a firewall I run IPFW. This computer sits behind a NAT router (linksys BEFSR41). The Linksys router forwards a few ports (25, 110, 80) to a different server (a Redhat-9 system). However, NO PORTS are forwarded to this FreeBSD system. My Redhat-9 server that runs Apache, Mysql, php4, and postfix. Question: Does chkrootkit ever generate false positives? This system has just few test websites on it (test data) and nothing else. But if this system has been compromised, then how? Given that any public services (forwarded from the router) coming across ports 25, 110, 80, 22 are sent to a different server altogether? I would appreciate any hints or pointers. Thank you. Michael Chinn ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: False positives from chkrootkit? or hacked test server?
On Wed, Apr 14, 2004, Mike clacked the keyboard to produce: Greetings: My test system: FreeBSD 4.9-stable Pentium III 800 I read an earlier post about using chkrootkit to check for root kits (intrusions). I'm still learning about FreeBSD so I thought I would run this too. Well... I installed and ran chkrootkit. And the output shows that: Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED No rootkits were found. This FreeBSD system is a test server running Postfix, Samba, Apache, PHP4, MySql, and akpop3. For a firewall I run IPFW. This computer sits behind a NAT router (linksys BEFSR41). The Linksys router forwards a few ports (25, 110, 80) to a different server (a Redhat-9 system). However, NO PORTS are forwarded to this FreeBSD system. My Redhat-9 server that runs Apache, Mysql, php4, and postfix. Question: Does chkrootkit ever generate false positives? Michael, I cannot answer your question, but rather throw in my false positive question as well. I am running FBSD 5.0 release with named, Apache, MySQL, and Samba too. I receieved the exact same positives from my system. Everything else is fine. In Googling I found a question as such and the only reply was FAQ and read the archives, to wit, some joker has a name of chkrootkit and you get a zillion of his mails, yet nothing helpful otherwise. Looking forward to hearing something too. -- Bob Play is the work of children. It's very serious stuff. And if it's properly structured in a developmental program, children can blossom. -Bob Keeshan aka `Captain Kangaroo' ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: False positives from chkrootkit? or hacked test server? [SOLVED]
Jeff Maxwell wrote: upgrade your ports. The chkrootkit that ships with 4.9 gives false positives Jeff: Thanks for the tip. I deinstalled the chkrootkit (v-4.1) that came with 4.9. I then downloaded and installed the most recent version (v-4.3) from the chkrootkit.org site. I re-ran chkrootkit and found NO infected files and NO rootkits. Michael Chinn On Apr 14, 2004, at 3:29 PM, Mike wrote: Greetings: My test system: FreeBSD 4.9-stable Pentium III 800 I read an earlier post about using chkrootkit to check for root kits (intrusions). I'm still learning about FreeBSD so I thought I would run this too. Well... I installed and ran chkrootkit. And the output shows that: Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED No rootkits were found. This FreeBSD system is a test server running Postfix, Samba, Apache, PHP4, MySql, and akpop3. For a firewall I run IPFW. This computer sits behind a NAT router (linksys BEFSR41). The Linksys router forwards a few ports (25, 110, 80) to a different server (a Redhat-9 system). However, NO PORTS are forwarded to this FreeBSD system. My Redhat-9 server that runs Apache, Mysql, php4, and postfix. Question: Does chkrootkit ever generate false positives? This system has just few test websites on it (test data) and nothing else. But if this system has been compromised, then how? Given that any public services (forwarded from the router) coming across ports 25, 110, 80, 22 are sent to a different server altogether? I would appreciate any hints or pointers. Thank you. Michael Chinn ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: False positives from chkrootkit? or hacked test server?
Hello all, On Wed, Apr 14, 2004 at 02:11:34PM -0700 or thereabouts, Mike wrote: Jeff Maxwell wrote: upgrade your ports. The chkrootkit that ships with 4.9 gives false positives I'm using chrootkit from fresh ports update (v4.3). Results are as: System 1 on 4.9-STABLE: nothing found System 2 on 4.10-BETA: chfn, chsh, date infected System 3 on 5.2.1-RELEASE-p4: date infected, stops (freezes) at checking 'lkm' strace shows: wait4(-1, Process 610 attached - interrupt to quit Systems are behind two firewalls, with only ssh allowed (5.x) or ftp, ssh, smtp, www, pop3 and https allowed (4.x). -- Martin Hudec| corwin at aeternal.net | corwin at web.markiza.sk http://www.aeternal.net | cell +421 907 303 393 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Chkrootkit anomaly
Since there have already been a couple of questions on this I thought I'd see if anyone could shed some light on something I've noticed since I started running chkrootkit. It runs every 15 minutes (overkill? Nah.) in quiet mode to cut down on noise in the logs, and sporadically I get these notifications: You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed These messages will appear only on the odd occasion, seemingly completely at random. False positives or very crafty rootkit? Any advice would be greatly appreciated! Sean. Pertinent details: FreeBSD 4.8-RELEASE-p3 kldstat Id Refs AddressSize Name 12 0xc010 2addcc kernel 21 0xc166f000 4000 logo_saver.ko Installed Packages: BitchX-1.0c19_2, XFree86-libraries-4.3.0_1, amavisd-new-20021227.p2,apache+mod_ssl-1.3.27+2.8.14, arc-5.21e.8_1, aspell-0.50.3_1,apache+autoconf-2.53_1,autoconf213-2.13.000227_5, automake-1.5,1, automake14-1.4.5_9, bash-2.05b,cclient-2002,1, chkrootkit-0.41, compat3x-i386-4.4.20020925, cracklib-2.7_1,curl-7.9.8, cvsup-16.1g, db3-3.3.11,1, docbook-1.2, docbook-241, docbook-3.0,docbook-3.1, docbook-4.0, docbook-4.1, expat-1.95.6_1, ezm3-1.0,fontconfig-2.1.94_1, freetype2-2.1.4_1, gd-2.0.11, gettext-0.11.5_1, gmake-3.80, help2man-1.29, horde-2.2, httplog-2.1, imake-4.3.0, imap-uw-2002_1,1, imp-3.1_3, iso8879-1986, ispell-3.2.06_3, jade-1.2.1_1, jpeg-6b_1, kronolith-1.0_3, lha-1.14i, libiconv-1.8_2, libmcal-0.7, libmcrypt-2.5.6_1, libtool-1.3.4_4, libwmf-0.2.7, libxml2-2.5.6, linuxdoc-1.1, logcheck-1.1.1, m4-1.4_1, mhash-0.8.17, mkcatalog-1.1, mm-1.2.1, mod_php4-4.3.1, mysql-client-3.23.56, mysql-server-3.23.56, nag-1.1, nmap-3.00, openldap-2.0.25_3, p5-Archive-Tar-0.22, p5-Archive-Zip-1.05, p5-Authen-SASL-2.02, p5-Bit-Vector-6.3, p5-Compress-Zlib-1.16, p5-Convert-TNEF-0.17, p5-Convert-UUlib-0.213, p5-DBI-1.34_1, p5-Data-ShowTable-3.3, p5-Date-Calc-5.3, p5-Digest-HMAC-1.01, p5-Digest-MD5-2.22, p5-Digest-Nilsimsa-0.06, p5-Digest-SHA1-2.01, p5-File-Spec-0.82, p5-File-Tail-0.98_1, p5-HTML-Parser-3.26, p5-HTML-Tagset-3.03, p5-IO-1.20, p5-IO-stringy-2.108, p5-MIME-Base64-2.16, p5-MIME-Tools-5.411a_2, p5-Mail-SpamAssassin-2.43, p5-Mail-Tools-1.53, p5-Mysql-modules-1.2219, p5-Net-1.12,1, p5-Net-DNS-0.33_1, p5-Net-Daemon-0.36, p5-Net-Server-0.83, p5-PlRPC-0.2016, p5-PodParser-1.18, p5-Storable-2.06, p5-Test-Harness-2.26, p5-Test-Simple-0.47_1, p5-Time-HiRes-1.38,1, p5-TimeDate-1.1301, p5-URI-1.23, p5-Unix-Syslog-0.100, pear-Crypt_CBC-0.3, pear-Date-1.3, pear-Log-1.5, pear-install-4.3.0, perl-5.8.0_4, pine-4.56, pkgconfig-0.15.0, pkgdb.db, png-1.2.5_2, poppassd-4.0_2, portupgrade-20030427, procmail-3.22_2, python-2.2.2_2, qpopper-4.0.5_1, razor-agents-2.21_1, ruby-1.6.8.2003.04.19, ruby-bdb1-0.2.1, ruby-rdoc-0.0.0.b2, ruby-shim-ruby18-1.8.0.p2.2003.04.19_1, screen-3.9.15_1, sed_inplace-2002.10.19, sgmlformat-1.7_2, swatch-3.0.4, turba-1.1_3, unarj-2.43_1, unrar-.11,1, unzip-5.50, wget-1.8.2_3, wide-dhcp-1.4.0.6, wv-0.7.4, xlhtml-0.5.1, zoo-2.10.1 Sean Page Network Analyst, Internet Services Information Technology Services Edmonton Public Schools Phone: (780) 429-8206 http://its.epsb.ca http://its.epsb.ca ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Chkrootkit anomaly
Since there have already been a couple of questions on this I thought I'd see if anyone could shed some light on something I've noticed since I started running chkrootkit. It runs every 15 minutes (overkill? Nah.) in quiet mode to cut down on noise in the logs, and sporadically I get these notifications: You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed These messages will appear only on the odd occasion, seemingly completely at random. False positives or very crafty rootkit? Any advice would be greatly appreciated! Hi Sean, I too have occasionally seen these, I am running 4.7-RELEASE. Also, thanks for mentioning -q, I never knew there was such a thing :-) Lewis ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Chkrootkit anomaly
Since there have already been a couple of questions on this I thought I'd see if anyone could shed some light on something I've noticed since I started running chkrootkit. It runs every 15 minutes (overkill? Nah.) in quiet mode to cut down on noise in the logs, and sporadically I get these notifications: You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed These messages will appear only on the odd occasion, seemingly completely at random. False positives or very crafty rootkit? Any advice would be greatly appreciated! http://www.chkrootkit.org/ FAQ item #6 is what you are intersted in, although it isn't clear. The problem is that processes are ending before it can check it, thus they are incorrectly tagged as hidden and result in a false positive. There are better resources regarding this (researched it a few months ago) but that is roughly the gist of it. Dave ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chkrootkit reports INFECTED :(
On Fri, Aug 15, 2003 at 09:50:53AM +0400, Mikhail E. Zakharov wrote: Hi! Running chkrootkit on newly installed FreeBSD 5.0 got: FAQ. Consult the archives. Kris pgp0.pgp Description: PGP signature
chkrootkit reports INFECTED :(
Hi! Running chkrootkit on newly installed FreeBSD 5.0 got: -cut- Checking `basename'... not infected Checking `biff'... not infected Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `cron'... not infected Checking `date'... INFECTED -cut- Checking `ls'... INFECTED -cut- Checking `ps'... INFECTED Checking `pstree'... not found -cut- What does it mean? Is my system hacked? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
chkrootkit version 0.41 results on FBSD 5.1R#0
I have the following listed as INFECTED: Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED Does anyone have the same output? --- Lou ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chkrootkit version 0.41 results on FBSD 5.1R#0
On Thu, Jun 26, 2003 at 02:02:19AM -0700, Tak Pui LOU wrote: I have the following listed as INFECTED: Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED Does anyone have the same output? FAQ..please consult the archives. Kris pgp0.pgp Description: PGP signature
Re: chkrootkit version 0.41 results on FBSD 5.1R#0
I read about this before. But, I just updated the port source tree and did a portupgrade. These programs are still listed as INFECTED. So, my question should be if these have been fixed or someone is really messing with my system. --- Lou On Thu, 26 Jun 2003, Kris Kennaway wrote: On Thu, Jun 26, 2003 at 02:02:19AM -0700, Tak Pui LOU wrote: I have the following listed as INFECTED: Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED Does anyone have the same output? FAQ..please consult the archives. Kris ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chkrootkit version 0.41 results on FBSD 5.1R#0
On Thu, Jun 26, 2003 at 02:14:45AM -0700, Tak Pui LOU wrote: I read about this before. But, I just updated the port source tree and did a portupgrade. These programs are still listed as INFECTED. So, my question should be if these have been fixed or someone is really messing with my system. This question is asked regularly on the FreeBSD mailing lists. Please do some further research. Kris pgp0.pgp Description: PGP signature
chkrootkit-0.40 FreeBSD 5.1
Is there a problem with 'chkrootkit-0.40' on 5.x? It tells me that some of the files are infected (I know for a fact that they're not).. Files reported as infected: /usr/bin/chfn /usr/bin/chsh /bin/date /bin/ls /bin/ps localhost# uname -a FreeBSD localhost.tuxsux.org 5.1-RELEASE FreeBSD 5.1-RELEASE #0: Wed Jun 4 06:09:58 MST 2003 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/KADAFI i386 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chkrootkit-0.40 FreeBSD 5.1
On Fri, Jun 06, 2003 at 11:21:47AM -0700 or thereabouts, [EMAIL PROTECTED] seemed to write: Is there a problem with 'chkrootkit-0.40' on 5.x? It tells me that some of the files are infected (I know for a fact that they're not).. Files reported as infected: /usr/bin/chfn /usr/bin/chsh /bin/date /bin/ls /bin/ps localhost# uname -a FreeBSD localhost.tuxsux.org 5.1-RELEASE FreeBSD 5.1-RELEASE #0: Wed Jun 4 06:09:58 MST 2003 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/KADAFI i386 Yes. It gives false positives for these 5 commands. -- Josh ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chkrootkit on 5.0-release... false positive?
On Thu, 13 Feb 2003, Todd Zimmermann wrote: Was wondering if anyone else has gotten positives on a rather vague lkm trojan when running chkrootkit on 5.0-release p1 ? Yes. And verified it was a false positive by checking with a few other people. Thinking its probably just the port not being in sync with the new release but being a believer in paranoia... Correct. - Jeff Jirsa To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: chkrootkit on 5.0-release... false positive?
On Thu, Feb 13, 2003 at 02:39:04AM -0500, Todd Zimmermann wrote: Was wondering if anyone else has gotten positives on a rather vague lkm trojan when running chkrootkit on 5.0-release p1 ? By definition chkrootkit can only ever use guesswork, and will occasionally produce false positives (and false negatives). Kris msg19317/pgp0.pgp Description: PGP signature
chkrootkit on 5.0-release... false positive?
Was wondering if anyone else has gotten positives on a rather vague lkm trojan when running chkrootkit on 5.0-release p1 ? I ran it occasionally on 4.7 stable and it never found anything. It's reporting chfn, chsh, date, ls, and ps as infected and a possible lkm trojan being loaded, plus 8-12 processes hidden from ps. Thinking its probably just the port not being in sync with the new release but being a believer in paranoia... Any feedback would be appreciated. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: chkrootkit help
Greetings, I'd like to thank all who replied, the advice and suggestions were valuable and appreciated, not to mention timely! It looks like it was a false positive. I ran netstat from cd, new chkrootkit compiled on a clean machine, and nmap remotely. It also made sense to mount / (-ro) from a clean machine and do a diff -r /bin /mnt/bin. There doesn't seem to be a security breach. I'll rebuild the machine anyway soon. There's a know issue with chkrootkit reporting false positives running programs that use bindshell's ports. Although these aren't running on this machine (an _up-to-date_ DNS/mail server), it was in an unstable state for known reasons. An nmap from a remote machine of the entire network directed at the firewall showed nothing abnormal. I'm going to rebuild it anyway, but wanted to followup. Also, if the above is misguided, please advise! Again, thanks, Riley -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mike Hoskins Sent: Monday, October 07, 2002 2:11 PM To: Anthony Schneider Cc: Riley; FreeBSD Security Subject: Re: chkrootkit help On Mon, 7 Oct 2002, Anthony Schneider wrote: You could try using a trusted sockstat binary to verify what's listening on the local system. % sockstat -4l quick aside: sockstat is a perl script, unless this changed with 4.6.2. Eww, I hadn't noticed. Good point, stick to a safe netsat from cdrom, etc. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-security in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: chkrootkit help
;), Mon, Oct 07, 2002 at 11:47:15AM -0700, Riley said that Hi all, hi (Let me know if this belongs in -questions) I could sure use some help interpreting this. A 4.6.2-RELEASE-p2 system (running bind 8.3.3-REL and sendmail 8.12.3) started getting syslog messages like: try run latest sendmail with patch :) and upgrade your box /kernel: file: table is full i know it :) along with related messages, then a core dump. (syslog for this date is below.) I took this as a side effect of a recent spamassassin install/upgrade (2.41) and increased kern.maxfiles to 8192 and max.vnodes to 16384. As the system my kern.maxfiles is set to: 65536 and max.vnodes to 8662 and try to set up /etc/login.conf see: man login.conf and all section of files :) for users started to recover for fun I ran chkrootkit which came back with this: try compile lsof is better for ports Checking `bindshell'... INFECTED (PORTS: 114) uf audionews port A few minutes later and ever since chkrootkit returns: Checking `bindshell'... not infected netstat -an doesn't show anything on 114 and nothing unusual. try: telnet localhost 114 but it can't help you cvsup #cd /usr/src/usr.sbin/named #make make install make clean and restart named The system is on a dmz with ports 25, 53 and 110 mapped through. Running chkrootkit on the firewall reported this: Checking `bindshell'... not infected Checking `lkm'... not tested: can't exec ./chkproc try to recompile linux ksec that's good for adreses of system calls or run: #nm kernel | grep -v '\(compiled\)\|\(\.o$$\)\|\( [aUw] \)\|\(\.\.ng$$\)\|\(LASH[RL]DI\)' | sort to see you syscalls adreses :) Checking `rexedcs'... not found Checking `sniffer'... xl0 is not promisc xl2 is not promisc I'm not sure what to think about can't exec ./chkproc. Also the xl1 interface is not reported in the output and is the dmz interface that the above machine is on. ifconfig shows: xl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 10.100.100.1 netmask 0xff00 broadcast 10.100.100.255 inet6 fe80::260:8ff:fe31:e4b0%xl1 prefixlen 64 scopeid 0x2 ether 00:60:08:31:e4:b0 media: Ethernet autoselect (10baseT/UTP) status: active Any comments would be greatly appreciated. Thanks, Riley That which does not kill us makes us stranger. --Kimchi Oct 7 03:13:56 aji sendmail[91248]: g97A2rnm091248: SYSERR(root): collect: I/O error on connection from [203.48.40.139], from=[EMAIL PROTECTED] Oct 7 08:45:13 aji /kernel: file: table is full Oct 7 08:45:14 aji last message repeated 38 times Oct 7 08:46:27 aji last message repeated 35 times Oct 7 09:14:05 aji sendmail[93085]: g97G8Xnm093085: SYSERR(root): collect: I/O error on connection from adsl-63-rev-addr, from=[EMAIL PROTECTED] Oct 7 09:22:17 aji /kernel: file: table is full Oct 7 09:22:20 aji last message repeated 17 times Oct 7 09:23:21 aji last message repeated 16 times Oct 7 09:23:23 aji sendmail[93320]: g97GEKpG093112: SYSERR(UID0): [EMAIL PROTECTED]... openmailer(local): pipe (to mailer): Too many open files in system someone play with you :) Oct 7 09:23:25 aji sendmail[93112]: g97GEKpI093112: SYSERR(root): Cannot open hash database /etc/mail/aliases.db: Too many open files in system Oct 7 09:23:22 aji inetd[93322]: /etc/spwd.db: Too many open files in system Oct 7 09:23:28 aji inetd[93322]: pop3/tcp: root: no such user Oct 7 09:25:42 aji /kernel: file: table is full Oct 7 09:25:43 aji last message repeated 4 times Oct 7 09:29:58 aji /kernel: file: table is full Oct 7 09:30:44 aji last message repeated 107 times Oct 7 09:30:53 aji /kernel: pid 93340 (cron), uid 0: exited on signal 11 (core dumped) ajajaja To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-security in the body of the message bye -- 20:57 up 2 days, 3:31, 4 users, load averages: 0,00 0,00 0,00 -- FreeBSD 5.0-CURRENT #16: root@kripel:/usr/src/sys/i386/compile/angel -- powered by rado -- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
chkrootkit help
Hi all, I could sure use some help interpreting this. I guess I'd like to know if chkrootkit could give a false positive under a file table full condition? A 4.6.2-RELEASE-p2 system (running bind 8.3.3-REL and sendmail 8.12.3) started getting syslog messages like: /kernel: file: table is full along with related messages, then a core dump. (syslog for this date is below.) I took this as a side effect of a recent spamassassin install/upgrade (2.41) and increased kern.maxfiles to 8192 and max.vnodes to 16384. As the system started to recover for fun I ran chkrootkit which came back with this: Checking `bindshell'... INFECTED (PORTS: 114) A few minutes later and ever since chkrootkit returns: Checking `bindshell'... not infected netstat -an doesn't show anything on 114 and nothing unusual. The system is on a dmz with ports 25, 53 and 110 mapped through. Running chkrootkit on the firewall reported this: Checking `bindshell'... not infected Checking `lkm'... not tested: can't exec ./chkproc Checking `rexedcs'... not found Checking `sniffer'... xl0 is not promisc xl2 is not promisc I'm not sure what to think about can't exec ./chkproc. Also the xl1 interface is not reported in the output and is the dmz interface that the above machine is on. ifconfig shows: xl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 10.100.100.1 netmask 0xff00 broadcast 10.100.100.255 inet6 fe80::260:8ff:fe31:e4b0%xl1 prefixlen 64 scopeid 0x2 ether 00:60:08:31:e4:b0 media: Ethernet autoselect (10baseT/UTP) status: active Any comments would be greatly appreciated. If this isn't a 'false positive' I'll rebuild the machine. Thanks, Riley That which does not kill us makes us stranger. --Kimchi Oct 7 03:13:56 aji sendmail[91248]: g97A2rnm091248: SYSERR(root): collect: I/O error on connection from [203.48.40.139], from=[EMAIL PROTECTED] Oct 7 08:45:13 aji /kernel: file: table is full Oct 7 08:45:14 aji last message repeated 38 times Oct 7 08:46:27 aji last message repeated 35 times Oct 7 09:14:05 aji sendmail[93085]: g97G8Xnm093085: SYSERR(root): collect: I/O error on connection from adsl-63-rev-addr, from=[EMAIL PROTECTED] Oct 7 09:22:17 aji /kernel: file: table is full Oct 7 09:22:20 aji last message repeated 17 times Oct 7 09:23:21 aji last message repeated 16 times Oct 7 09:23:23 aji sendmail[93320]: g97GEKpG093112: SYSERR(UID0): [EMAIL PROTECTED]... openmailer(local): pipe (to mailer): Too many open files in system Oct 7 09:23:25 aji sendmail[93112]: g97GEKpI093112: SYSERR(root): Cannot open hash database /etc/mail/aliases.db: Too many open files in system Oct 7 09:23:22 aji inetd[93322]: /etc/spwd.db: Too many open files in system Oct 7 09:23:28 aji inetd[93322]: pop3/tcp: root: no such user Oct 7 09:25:42 aji /kernel: file: table is full Oct 7 09:25:43 aji last message repeated 4 times Oct 7 09:29:58 aji /kernel: file: table is full Oct 7 09:30:44 aji last message repeated 107 times Oct 7 09:30:53 aji /kernel: pid 93340 (cron), uid 0: exited on signal 11 (core dumped) To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-security in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message