From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-121003-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1Q47U5-0003e6-S2
	for garchives@archives.gentoo.org; Mon, 28 Mar 2011 08:07:34 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 64E6C1C01C;
	Mon, 28 Mar 2011 08:05:43 +0000 (UTC)
Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53])
	by pigeon.gentoo.org (Postfix) with ESMTP id 11CF81C01C
	for <gentoo-user@lists.gentoo.org>; Mon, 28 Mar 2011 08:05:42 +0000 (UTC)
Received: by wwj40 with SMTP id 40so3243352wwj.10
        for <gentoo-user@lists.gentoo.org>; Mon, 28 Mar 2011 01:05:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:from:reply-to:to:subject:date:user-agent
         :references:in-reply-to:mime-version:content-type
         :content-transfer-encoding:message-id;
        bh=7WaKk+RpYezpzqyKymraCobmYzKbNryDMmm9CpgAFak=;
        b=KvnlAJ3LE+pUqAl+f4u7+IWOAU33QhqGd+087dZy/MEJZq/Uqoq2i0sg3CEsrLDgzl
         EALXUAcTPojKS3DIKN91Ap4UyNd4XYQ9x/tVlpS2gXLyH2GViFed47lZbwBEtt5ofuHU
         4lMyVhMHvXLhClhsFP65OwPuDlsJLkhxJ0KoA=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=from:reply-to:to:subject:date:user-agent:references:in-reply-to
         :mime-version:content-type:content-transfer-encoding:message-id;
        b=RzSz2OUjb8/xL7H8SO/HaWldO/2UOUvbFGFUyRdBDgGX0ti2WE/m+splL+g3BpT7Gk
         Ad5g1D8TfNsw0fb6aL37GTCXQNbMe6qbK3XEH3BWMaxZT8iVe7qudQ5/YHe/HQckOTDc
         MJzTbjA867OcatW3TbA0Y3eAcPnrxxpF/NM2A=
Received: by 10.216.179.133 with SMTP id h5mr2342171wem.69.1301299542221;
        Mon, 28 Mar 2011 01:05:42 -0700 (PDT)
Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa [217.169.3.230])
        by mx.google.com with ESMTPS id r57sm1382657wes.1.2011.03.28.01.05.34
        (version=TLSv1/SSLv3 cipher=OTHER);
        Mon, 28 Mar 2011 01:05:38 -0700 (PDT)
From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] sys-forensics/chkrootkit finds INFECTED binaries on ~amd64
Date: Mon, 28 Mar 2011 09:05:46 +0100
User-Agent: KMail/1.13.5 (Linux/2.6.36-gentoo-r5; KDE/4.4.5; x86_64; ; )
References: <imo91k$97d$1@dough.gmane.org>
In-Reply-To: <imo91k$97d$1@dough.gmane.org>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed;
  boundary="nextPart1501986.1ncJtphXIu";
  protocol="application/pgp-signature";
  micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <201103280905.56217.michaelkintzios@gmail.com>
X-Archives-Salt: 
X-Archives-Hash: 29c0a1b793a8e39217919a29225a6233

--nextPart1501986.1ncJtphXIu
Content-Type: Text/Plain;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

On Sunday 27 March 2011 22:09:00 walt wrote:
> I just got an email from cron on my ~amd64 machine, containing these line=
s:
>=20
> Checking 'find'... INFECTED
> Checking 'netstat'... INFECTED
>=20
> Took me a few minutes to deduce that sys-forensics/chkrootkit was the
> source of those messages.  I ran chkrootkit manually and found the same
> messages in the output.
>=20
> I then nervously re-emerged findutils and net-tools, but chkrootkit again
> found the same binaries to be "INFECTED".
>=20
> Running chkrootkit on my ~x86 machine turns up no such infections even
> though the same packages are installed on both machines.
>=20
> Anyone have any insight into how chkrootkit works, or why the different
> results?
>=20
> Or, can anyone reproduce my problem?
>=20
> Thanks.

Just ran this on my stable amd64 PC and it looks OK:

=2E..
Checking `find'... not infected  <---
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected  <---
=2E..

Did you run anything suspicious on your system?
=2D-=20
Regards,
Mick

--nextPart1501986.1ncJtphXIu
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iEYEABECAAYFAk2QQWQACgkQVTDTR3kpaLbjRACfShZa16NSBWNMoLsmoK0QgRsq
Q6IAoNYGy5PkKpIAVGQ5qh7kId6kW1xr
=QP2U
-----END PGP SIGNATURE-----

--nextPart1501986.1ncJtphXIu--