upgrade your ports. The chkrootkit that ships with 4.9 gives false positives
Jeff:
Thanks for the tip.
I deinstalled the chkrootkit (v-4.1) that came with 4.9. I then downloaded and installed the most recent version (v-4.3) from the chkrootkit.org site.
I re-ran chkrootkit and found NO infected files and NO rootkits.
Michael Chinn
On Apr 14, 2004, at 3:29 PM, Mike wrote:
Greetings:
My test system: FreeBSD 4.9-stable Pentium III 800
I read an earlier post about using chkrootkit to check for root kits (intrusions). I'm still learning about FreeBSD so I thought I would run this too.
Well... I installed and ran chkrootkit. And the output shows that:
Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED
No rootkits were found.
This FreeBSD system is a test server running Postfix, Samba, Apache, PHP4, MySql, and akpop3. For a firewall I run IPFW.
This computer sits behind a NAT router (linksys BEFSR41). The Linksys router forwards a few ports (25, 110, 80) to a different server (a Redhat-9 system). However, NO PORTS are forwarded to this FreeBSD system.
My Redhat-9 server that runs Apache, Mysql, php4, and postfix.
Question: Does chkrootkit ever generate false positives?
This system has just few test websites on it (test data) and nothing else. But if this system has been compromised, then how? Given that any public services (forwarded from the router) coming across ports 25, 110, 80, 22 are sent to a different server altogether?
I would appreciate any hints or pointers. Thank you.
Michael Chinn
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
