Re: [gentoo-user] sys-forensics/chkrootkit finds INFECTED binaries on ~amd64
On Sunday 27 March 2011 22:09:00 walt wrote: I just got an email from cron on my ~amd64 machine, containing these lines: Checking 'find'... INFECTED Checking 'netstat'... INFECTED Took me a few minutes to deduce that sys-forensics/chkrootkit was the source of those messages. I ran chkrootkit manually and found the same messages in the output. I then nervously re-emerged findutils and net-tools, but chkrootkit again found the same binaries to be INFECTED. Running chkrootkit on my ~x86 machine turns up no such infections even though the same packages are installed on both machines. Anyone have any insight into how chkrootkit works, or why the different results? Or, can anyone reproduce my problem? Thanks. Just ran this on my stable amd64 PC and it looks OK: ... Checking `find'... not infected --- Checking `fingerd'... not found Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not found Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not tested Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not infected Checking `mail'... not infected Checking `mingetty'... not found Checking `netstat'... not infected --- ... Did you run anything suspicious on your system? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] sys-forensics/chkrootkit finds INFECTED binaries on ~amd64
On Sun, Mar 27, 2011 at 4:09 PM, walt w41...@gmail.com wrote: I just got an email from cron on my ~amd64 machine, containing these lines: Checking 'find'... INFECTED Checking 'netstat'... INFECTED Took me a few minutes to deduce that sys-forensics/chkrootkit was the source of those messages. I ran chkrootkit manually and found the same messages in the output. I then nervously re-emerged findutils and net-tools, but chkrootkit again found the same binaries to be INFECTED. Running chkrootkit on my ~x86 machine turns up no such infections even though the same packages are installed on both machines. Anyone have any insight into how chkrootkit works, or why the different results? Or, can anyone reproduce my problem? chkrootkit is old, has not been updated in years+, and those are false alarms. I got the exact same ones. Basically, chkrootkit is just grepping for a string inside those files: /usr/bin/find: sharefile.h /bin/netstat: sockaddr.h You may find that if you strip those 2 binaries of debug data, the false positives go away.