* [gentoo-user] sys-forensics/chkrootkit finds INFECTED binaries on ~amd64
@ 2011-03-27 21:09 walt
2011-03-28 8:05 ` Mick
2011-03-28 14:24 ` Paul Hartman
0 siblings, 2 replies; 4+ messages in thread
From: walt @ 2011-03-27 21:09 UTC (permalink / raw
To: gentoo-user
I just got an email from cron on my ~amd64 machine, containing these lines:
Checking 'find'... INFECTED
Checking 'netstat'... INFECTED
Took me a few minutes to deduce that sys-forensics/chkrootkit was the source
of those messages. I ran chkrootkit manually and found the same messages in
the output.
I then nervously re-emerged findutils and net-tools, but chkrootkit again found
the same binaries to be "INFECTED".
Running chkrootkit on my ~x86 machine turns up no such infections even though
the same packages are installed on both machines.
Anyone have any insight into how chkrootkit works, or why the different results?
Or, can anyone reproduce my problem?
Thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] sys-forensics/chkrootkit finds INFECTED binaries on ~amd64
2011-03-27 21:09 [gentoo-user] sys-forensics/chkrootkit finds INFECTED binaries on ~amd64 walt
@ 2011-03-28 8:05 ` Mick
2011-03-28 14:24 ` Paul Hartman
1 sibling, 0 replies; 4+ messages in thread
From: Mick @ 2011-03-28 8:05 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 1579 bytes --]
On Sunday 27 March 2011 22:09:00 walt wrote:
> I just got an email from cron on my ~amd64 machine, containing these lines:
>
> Checking 'find'... INFECTED
> Checking 'netstat'... INFECTED
>
> Took me a few minutes to deduce that sys-forensics/chkrootkit was the
> source of those messages. I ran chkrootkit manually and found the same
> messages in the output.
>
> I then nervously re-emerged findutils and net-tools, but chkrootkit again
> found the same binaries to be "INFECTED".
>
> Running chkrootkit on my ~x86 machine turns up no such infections even
> though the same packages are installed on both machines.
>
> Anyone have any insight into how chkrootkit works, or why the different
> results?
>
> Or, can anyone reproduce my problem?
>
> Thanks.
Just ran this on my stable amd64 PC and it looks OK:
...
Checking `find'... not infected <---
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected <---
...
Did you run anything suspicious on your system?
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] sys-forensics/chkrootkit finds INFECTED binaries on ~amd64
2011-03-27 21:09 [gentoo-user] sys-forensics/chkrootkit finds INFECTED binaries on ~amd64 walt
2011-03-28 8:05 ` Mick
@ 2011-03-28 14:24 ` Paul Hartman
2011-03-28 23:48 ` [gentoo-user] " walt
1 sibling, 1 reply; 4+ messages in thread
From: Paul Hartman @ 2011-03-28 14:24 UTC (permalink / raw
To: gentoo-user
On Sun, Mar 27, 2011 at 4:09 PM, walt <w41ter@gmail.com> wrote:
> I just got an email from cron on my ~amd64 machine, containing these lines:
>
> Checking 'find'... INFECTED
> Checking 'netstat'... INFECTED
>
> Took me a few minutes to deduce that sys-forensics/chkrootkit was the source
> of those messages. I ran chkrootkit manually and found the same messages in
> the output.
>
> I then nervously re-emerged findutils and net-tools, but chkrootkit again
> found
> the same binaries to be "INFECTED".
>
> Running chkrootkit on my ~x86 machine turns up no such infections even
> though
> the same packages are installed on both machines.
>
> Anyone have any insight into how chkrootkit works, or why the different
> results?
>
> Or, can anyone reproduce my problem?
chkrootkit is old, has not been updated in years+, and those are false
alarms. I got the exact same ones. Basically, chkrootkit is just
grepping for a string inside those files:
/usr/bin/find: sharefile.h
/bin/netstat: sockaddr.h
You may find that if you strip those 2 binaries of debug data, the
false positives go away.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [gentoo-user] Re: sys-forensics/chkrootkit finds INFECTED binaries on ~amd64
2011-03-28 14:24 ` Paul Hartman
@ 2011-03-28 23:48 ` walt
0 siblings, 0 replies; 4+ messages in thread
From: walt @ 2011-03-28 23:48 UTC (permalink / raw
To: gentoo-user
On 03/28/2011 07:24 AM, Paul Hartman wrote:
> On Sun, Mar 27, 2011 at 4:09 PM, walt<w41ter@gmail.com> wrote:
>> I just got an email from cron on my ~amd64 machine, containing these lines:
>>
>> Checking 'find'... INFECTED
>> Checking 'netstat'... INFECTED
>>
>> Took me a few minutes to deduce that sys-forensics/chkrootkit was the source
>> of those messages. I ran chkrootkit manually and found the same messages in
>> the output.
>
> chkrootkit is old, has not been updated in years+, and those are false
> alarms. I got the exact same ones. Basically, chkrootkit is just
> grepping for a string inside those files:
>
> /usr/bin/find: sharefile.h
> /bin/netstat: sockaddr.h
>
> You may find that if you strip those 2 binaries of debug data, the
> false positives go away.
Exactly so. Thanks to you and Mick for the replies.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-03-28 23:50 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-03-27 21:09 [gentoo-user] sys-forensics/chkrootkit finds INFECTED binaries on ~amd64 walt
2011-03-28 8:05 ` Mick
2011-03-28 14:24 ` Paul Hartman
2011-03-28 23:48 ` [gentoo-user] " walt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox